The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a serious security vulnerability affecting Gladinet CentreStack, a popular enterprise file sharing and cloud enablement platform. The flaw, tracked as CVE-2025-30406, has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation by attackers in the wild.
CVE-2025-30406
CVE-2025-30406 is a critical remote code execution (RCE) vulnerability caused by the use of a hard-coded cryptographic key within the software. This flaw is rated 9.0 on the CVSS (Common Vulnerability Scoring System), putting it in the high-risk category. It impacts CentreStack deployments that haven’t yet been updated to version 16.4.10315.56368, which was released on April 3, 2025, to fix the issue.
According to CISA, the vulnerability lies in how CentreStack manages cryptographic keys for ViewState integrity verification. The software includes a hard-coded “machineKey” in the IIS (Internet Information Services) web.config file. If an attacker gains access to this key or reverse engineers it, they can create malicious ViewState payloads. When these payloads are deserialized on the server side, they allow for unauthorized remote code execution.
This means a remote attacker could potentially run arbitrary code on the server, gaining full control of the system without needing valid login credentials.
What Is the “MachineKey” and Why Is It a Problem?
In ASP.NET applications like CentreStack, the machineKey is used to protect ViewState data, which helps maintain the state of web applications between user sessions. Normally, this key should be securely generated and unique to each server. However, in the case of CentreStack, this key was hard-coded, meaning it was the same across multiple installations.
This makes it easier for attackers to predict or extract the key, especially if they already have knowledge of the software’s configuration. Once an attacker has the machineKey, they can forge ViewState data and exploit the deserialization process to execute code remotely.
Active Exploitation in the Wild
While CISA and Gladinet have not disclosed details about the attackers or how widespread the exploitation is, the fact that the flaw has been added to the KEV catalog confirms that real-world attacks have already occurred. Information from CVE.org indicates that the vulnerability was likely exploited as a zero-day in March 2025, meaning attackers were using it before a fix was publicly available.
This level of exploitation is particularly concerning for businesses using CentreStack, as attackers could silently gain access to sensitive data, disrupt operations, or deploy additional malware.
What Should Users Do?
Gladinet has released an official patch in version 16.4.10315.56368 of CentreStack. Organizations using the platform should immediately update to this version to secure their environments.
If updating is not possible in the short term, Gladinet recommends a temporary mitigation: rotate the machineKey value in the IIS web.config file. While this is not a complete fix, it may prevent attackers from using known or leaked keys to craft malicious payloads.
CISA has also instructed federal agencies and critical infrastructure providers to apply the update by April 24, 2025, as part of their mandatory cybersecurity measures. Private organizations are strongly encouraged to follow the same guidance.
Summary and Key Takeaways
CVE-2025-30406 is a critical remote code execution vulnerability in Gladinet CentreStack.
The flaw is due to a hard-coded machineKey used for cryptographic validation in the ViewState feature of ASP.NET.
Attackers can exploit this vulnerability to execute malicious code on affected servers.
The vulnerability is being actively exploited in the wild, and was reportedly used as a zero-day attack in March 2025.
Gladinet has released a patch, and users should immediately upgrade to the latest version.
As a temporary workaround, administrators can change the machineKey manually to reduce risk.
CISA has included the flaw in its Known Exploited Vulnerabilities catalog, indicating its severity and active use by threat actors.
Conclusion
This incident is another reminder of the dangers of hard-coded secrets in application development. When cryptographic keys or passwords are embedded directly into code or configuration files, they become predictable and easily exploitable if discovered.
Organizations should not only patch this vulnerability as soon as possible, but also review their own applications and platforms for similar insecure coding practices. Secure key management and regular software updates are essential to defend against today’s sophisticated cyber threats.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : CVE-2024-48887, Fortinet Warns of Severe Flaw in FortiSwitch Admin Interface
Pingback: CVE-2025-3102: OttoKit WordPress Plugin Exploit Gives Hackers Full Site Control