CVE-2025-30406 Scanner

Gladinet CentreStack < 16.4.10315.56368 Use of Hard-coded Key Leads to Unauthenticated RCE CVE-2025-30406 Scanner

Short Info


Level

Critical

Single Scan

Single Scan

Can be used by

Asset Owner

Estimated Time

10 seconds

Time Interval

9 days 14 hours

Scan only one

Domain, Subdomain, IPv4

Toolbox

-

Gladinet CentreStack is a cloud file server solution that enables businesses to host and manage their own enterprise file sync and share services. It is widely used by managed service providers (MSPs), enterprises, and IT professionals for secure file access, collaboration, and backup. The software integrates with on-premise file servers and supports cloud migration strategies. It provides a centralized platform for secure access from desktop, mobile, and web clients. Designed with enterprise needs in mind, it focuses on ease of management, granular control, and regulatory compliance. It is primarily deployed in private or hybrid cloud environments where data governance is critical.

This vulnerability allows unauthenticated remote code execution due to the use of a hardcoded machineKey in affected versions of the software. Attackers who know the static key can create serialized objects that are deserialized server-side without authentication. This type of vulnerability opens the door to various types of malicious activity such as full system compromise. It was observed being exploited in the wild in March 2025. The issue stems from insecure design decisions that bypass typical authorization mechanisms. The vulnerability is considered critical due to its ease of exploitation and the severity of potential impact.

The vulnerability lies in the `/portal/loginpage.aspx` endpoint of the CentreStack web interface. The deserialization flaw occurs when a specially crafted payload is sent as part of the `__VIEWSTATE` parameter. Because the application uses a known and static machineKey for encryption and signing, malicious actors can forge valid payloads. These payloads can be used to inject arbitrary objects into the application’s memory space, which are then executed upon deserialization. This leads directly to remote code execution on the server without any authentication. The flaw was fixed in version 16.4.10315.56368 by updating cryptographic handling and removing the hardcoded key.

If exploited, this vulnerability can allow a remote, unauthenticated attacker to execute arbitrary code on the target server. This means full control over the underlying operating system, potential data theft, lateral movement across networks, and installation of persistent backdoors. It poses a severe risk to the confidentiality, integrity, and availability of enterprise systems. Attackers may also use the access to compromise additional services connected to CentreStack. In some cases, this could result in ransomware deployment or irreversible system damage. Organizations running unpatched versions are at extremely high risk.

REFERENCES

Get started to protecting your digital assets