CentreStack: deserialization vulnerability due to hardcoded cryptographic key (CVE-2025-30406) #shorts

Summary

In this episode, we'll be discussing CVE-2025-30406, a critical vulnerability found in Gladinet CentreStack. This vulnerability, which affects versions up to 16.1.10296.56315, allows for remote code execution due to the use of a hardcoded machineKey in the CentreStack portal. It's been actively exploited in the wild since March 2025, prompting alerts from both CISA and Huntress.

Product details

Gladinet CentreStack is a cloud storage and server portal solution widely used by businesses for secure file sharing and cloud storage management. The affected versions up to 16.1.10296.56315 have a critical deserialization vulnerability stemming from their hardcoded cryptographic keys, with a fix available in version 16.4.10315.56368.

Vulnerability type summary

The vulnerability, assigned the identifier CVE-2025-30406, is categorized under CWE-321, which refers to the use of hard-coded cryptographic keys. A hardcoded machineKey is included in the CentreStack portal's web configuration file, making it susceptible to deserialization attacks that could lead to remote code execution by attackers aware of the key.

Details of the vulnerability

This deserialization vulnerability, exploited in the wild since March 2025, allows threat actors who have access to the hardcoded machineKey to craft malicious payloads that are serialized and then executed on the server side. Active exploitation has impacted at least seven organizations and over 120 endpoints globally. An alert by CISA includes this CVE in their Known Exploited Vulnerabilities catalog, emphasizing its critical nature and active exploitation.

Conclusion

CVE-2025-30406 is a severe vulnerability that highlights the risks associated with hardcoded cryptographic keys. Users of Gladinet CentreStack are urged to update to version 16.4.10315.56368 or later to mitigate this vulnerability. There is also an option for administrators to manually remove the hardcoded key in the portal's configuration file to prevent potential exploitation. Awareness and prompt action are key in addressing this critical security threat.

Watch the full video on YouTube: CVE-2025-30406

Remediation and exploitation details

This chain involves the following actors

This following systems are involved

Attack entry point

Remediation actions

Exploitation actions

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2025-30406
Description
Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, as exploited in the wild in March 2025. This enables threat actors (who know the machineKey) to serialize a payload for server-side deserialization to achieve remote code execution. NOTE: a CentreStack admin can manually delete the machineKey defined in portal\web.config.
Provider
mitre
CWE / problem types
CWE-321 Use of Hard-coded Cryptographic Key
Affected Software Versions
Gladinet:CentreStack:[{'lessThan': '16.4.10315.56368', 'status': 'affected', 'version': '0', 'versionType': 'custom'}]
Date Published
2025-04-03T00:00:00.000Z
Last Updated
2025-04-08T22:20:23.351Z