Hackers exploited a vulnerability in Gladinet CentreStack’s safe file-sharing software program as a zero-day since March to breach storage servers
Gladinet CentreStack is an enterprise file-sharing and entry platform that turns on-premise file servers (like Home windows servers with SMB shares) into safe, cloud-like file programs supporting distant entry to inner file shares, file syncing and sharing, multi-tenant deployments, and integration with Lively Listing.
The corporate claims the product is utilized by 1000’s of companies throughout 49 international locations, together with enterprises with Home windows-based file servers, MSPs internet hosting file companies for a number of purchasers, and varied organizations that want cloud-like entry with out cloud migration.
The flaw, tracked as CVE-2025-30406, is a deserialization vulnerability impacting Gladinet CentreStack variations as much as 16.1.10296.56315. Exploitation within the wild has been noticed since March 2025.
The problem stems from utilizing a hardcoded machineKey within the CentreStack portal’s configuration (net.config). If an attacker is aware of this key, they will craft a malicious serialized payload that the server will belief and execute.
Based on the seller’s advisory, the improperly protected key secures ASP.NET ViewState, which, if cast, can enable attackers to bypass integrity checks, inject arbitrary serialized objects, and finally execute code on the server.
Repair and mitigations out there
Gladinet launched a safety repair for CVE-2025-30406 on April 3, 2025, with variations 16.4.10315.56368, 16.3.4763.56357 (Home windows), and 15.12.434 (macOS).
The seller recommends that every one customers improve to the newest model for his or her platforms as quickly as attainable, or manually rotate the ‘machineKey’ in each ‘rootweb.config’ and ‘portalweb.config.’
“Exploitation has been noticed within the wild. We strongly advocate updating to the patched model, which improves key administration and mitigates publicity,” advises Gladinet.
“For purchasers who can not replace instantly, rotating the machineKey values is a really useful interim mitigation.”
Those that carry out machineKey rotation on their atmosphere should guarantee consistency throughout nodes in multi-server deployments to keep away from operational issues and restart IIS after modifications for the mitigations to use.
CISA has added CVE-2025-30406 to its Identified Exploited Vulnerability catalog however has not indiciated it has been exploited by ransomware gangs.
Nonetheless, given the character of the product, it’s possible being exploited for information theft assaults.
All these flaws have traditionally been focused by the Clop ransomware gang, which has experience in exploiting file-sharing programs. Earlier Clop information theft assaults focused the Cleo, MOVEit Switch, GoAnywhere MFT, SolarWinds Serv-U, and Accelion FTA safe file switch platforms.
The U.S. company has given impacted state and federal organizations till April 29, 2025, to use safety updates and mitigations or cease utilizing the product.
Based mostly on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and the right way to defend towards them.
