A critical vulnerability in Gladinet’s CentreStack file server or Triofox file sharing server has been identified by researchers at Huntress, prompting immediate action to be taken by CISOs to update the applications. The vulnerability, known as CVE-2025-30406, has been actively exploited and poses a serious risk of data breaches and system compromise if left unpatched.
John Hammond, principal security researcher at Huntress, emphasized the urgency of addressing this vulnerability, stating that vulnerable servers are at risk of exploitation with minimal effort. The severity of the vulnerability was underscored by its inclusion in the US Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities Catalog.
According to Huntress, seven organizations have already fallen victim to attacks exploiting this vulnerability, highlighting the real-world impact of the issue. MITRE reported that the vulnerability has been exploited since March, underscoring the need for immediate action to mitigate the risk.
The vulnerability stems from hardcoded cryptographic keys in vulnerable Gladinet CentreStack and Triofox instances, making it easy for adversaries to obtain the keys and exploit them to compromise exposed servers. The risk is further compounded by the fact that there are a few hundred vulnerable servers exposed to the public internet, according to Shodan.
In response to the threat, Huntress recommended that vulnerable servers be updated to patched versions or have their machineKey values changed to prevent exploitation. Failure to address the vulnerability leaves servers susceptible to attacks leveraging ViewState deserialization, a well-documented attack technique.
Roger Grimes, data-driven defense analyst at KnowBe4, emphasized the difficulty of defending against attacks stemming from hardcoded credential vulnerabilities. While vendors can release patches to address such vulnerabilities, the onus is on IT administrators to take proactive measures to protect their networks.
Grimes also highlighted the lack of secure programming training for developers as a contributing factor to the prevalence of vulnerabilities like hardcoded credentials. Without proper training on secure coding practices, developers may unknowingly introduce vulnerabilities into their code, posing a significant risk to cybersecurity.
The broader issue of inadequate secure programming education was also raised, with Grimes noting that the absence of employer requirements for secure programming skills contributes to the problem. As a result, developers may not be equipped to address common vulnerabilities, leading to a proliferation of security risks in software applications.
In conclusion, the CVE-2025-30406 vulnerability in Gladinet’s CentreStack and Triofox servers underscores the importance of timely patching and proactive security measures to safeguard against cyber threats. Addressing the root causes of vulnerabilities, such as inadequate secure programming training, is crucial to enhancing the overall security posture of software applications and protecting against potential exploitation.