CentreStack RCE exploited as zero-day to breach file sharing servers

April 9, 2025

Hacker

Hackers exploited a vulnerability in Gladinet CentreStack's secure file-sharing software as a zero-day since March to breach storage servers

Gladinet CentreStack is an enterprise file-sharing and access platform that turns on-premise file servers (like Windows servers with SMB shares) into secure, cloud-like file systems supporting remote access to internal file shares, file syncing and sharing, multi-tenant deployments, and integration with Active Directory.

The company claims the product is used by thousands of businesses across 49 countries, including enterprises with Windows-based file servers, MSPs hosting file services for multiple clients, and various organizations that need cloud-like access without cloud migration.

The flaw, tracked as CVE-2025-30406, is a deserialization vulnerability impacting Gladinet CentreStack versions up to 16.1.10296.56315. Exploitation in the wild has been observed since March 2025.

The issue stems from using a hardcoded machineKey in the CentreStack portal's configuration (web.config). If an attacker knows this key, they can craft a malicious serialized payload that the server will trust and execute.

According to the vendor's advisory, the improperly protected key secures ASP.NET ViewState, which, if forged, can allow attackers to bypass integrity checks, inject arbitrary serialized objects, and eventually execute code on the server.

Fix and mitigations available

Gladinet released a security fix for CVE-2025-30406 on April 3, 2025, with versions 16.4.10315.56368, 16.3.4763.56357 (Windows), and 15.12.434 (macOS).

The vendor recommends that all users upgrade to the latest version for their platforms as soon as possible, or manually rotate the 'machineKey' in both 'root\web.config' and 'portal\web.config.'

"Exploitation has been observed in the wild. We strongly recommend updating to the patched version, which improves key management and mitigates exposure," advises Gladinet.

"For customers who cannot update immediately, rotating the machineKey values is a recommended interim mitigation."

Those who perform machineKey rotation on their environment must ensure consistency across nodes in multi-server deployments to avoid operational problems and restart IIS after changes for the mitigations to apply.

CISA has added CVE-2025-30406 to its Known Exploited Vulnerability catalog but has not indiciated it has been exploited by ransomware gangs.

However, given the nature of the product, it is likely being exploited for data theft attacks.

These types of flaws have historically been targeted by the Clop ransomware gang, which has expertise in exploiting file-sharing systems. Previous Clop data theft attacks targeted the Cleo, MOVEit Transfer, GoAnywhere MFT, SolarWinds Serv-U, and Accelion FTA secure file transfer platforms.

The U.S. agency has given impacted state and federal organizations until April 29, 2025, to apply security updates and mitigations or stop using the product.