Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a critical security flaw impacting Gladinet CentreStack to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The vulnerability, tracked as CVE-2025-30406 (CVSS score: 9.0), concerns a case of a hard-coded cryptographic key that could be abused to achieve remote
Analysis Summary
# Vulnerability: CentreStack Hard-Coded MachineKey Leading to Remote Code Execution
## CVE Details
- CVE ID: CVE-2025-30406
- CVSS Score: 9.0 (Critical)
- CWE: Hard-coded Cryptographic Key
## Affected Systems
- Products: Gladinet CentreStack
- Versions: All versions prior to 16.4.10315.56368
- Configurations: Applicable when the application uses the default hard-coded "machineKey" in the IIS web.config file.
## Vulnerability Description
The vulnerability stems from the use of a hard-coded cryptographic key ("machineKey") within the CentreStack application's IIS `web.config` file for ViewState integrity verification. An attacker who knows this fixed key can craft malicious ViewState payloads (serialize a payload) which the application will then trust and deserialize on the server-side, leading to the execution of arbitrary code on the server.
## Exploitation
- Status: Exploited in the wild (Reported as being exploited in March 2025, added to CISA KEV catalog).
- Complexity: Not explicitly rated, but exploiting server-side deserialization often requires some level of pre-existing knowledge (RCE level exploit).
- Attack Vector: Network (Implied, as it targets web application logic).
## Impact
- Confidentiality: High (Successful RCE allows access to system data).
- Integrity: High (Successful RCE allows modification or destruction of data/system state).
- Availability: High (Successful RCE can lead to system compromise or denial of service).
## Remediation
### Patches
- Apply CentreStack **Version 16.4.10315.56368** or later (Released April 3, 2025).
### Workarounds
- Rotate the hard-coded `machineKey` value in the IIS `web.config` file as a temporary mitigation until patching can be applied.
## Detection
- **Indicators of Compromise:** Suspicious server-side processing of deserialized ViewState objects or successful remote code execution attempts logged by the application or operating system monitoring tools.
- **Detection methods and tools:** Monitor application logs configured to handle or flag unusual HTTP POST requests containing potentially serialized/malicious ViewState data directed at CentreStack endpoints. IDS/IPS signatures targeting known RCE exploitation techniques against ASP.NET applications may be effective.
## References
- Vendor Advisory: gladinetsupport.s3.us-east-1.amazonaws.com/gladinet/securityadvisory-cve-2005.pdf
- CISA KEV Catalog Entry: cisa.gov/news-events/alerts/2025/04/08/cisa-adds-two-known-exploited-vulnerabilities-catalog
- CVE Record: cve.org/CVERecord?id=CVE-2025-30406