A critical 0-day vulnerability has been disclosed in CentreStack, a popular enterprise cloud storage and collaboration platform, which could allow attackers to execute arbitrary code remotely on affected web servers. The vulnerability, tracked as CVE-2025-30406, leverages a flaw in the application’s handling of cryptographic keys responsible for securing sensitive ViewState data.
The exploit revolves around the use of hardcoded or improperly managed machine key values in the Internet Information Services (IIS) web.config file, as per the official security advisory. The machine key plays a crucial role in ensuring the integrity and confidentiality of ASP.NET ViewState data, which is used to maintain state across web requests. If a threat actor can obtain or predict the machine key, they can create malicious ViewState payloads that bypass the application’s verification checks, potentially leading to ViewState deserialization attacks and remote code execution.
The exploitation of this vulnerability could grant attackers the same level of access as the underlying web server service account, enabling them to conduct activities such as data theft, lateral movement, or complete server takeover. Security researchers have already observed attempts to exploit this flaw in the wild, emphasizing the need for organizations to take immediate protective measures.
To address this issue, the CentreStack team has swiftly responded by releasing a patched version – build 16.4.10315.56368, which automatically generates and applies a unique machine key for each installation. For organizations unable to update immediately, interim mitigation steps have been outlined, including rotating the machine key, synchronizing keys on server farms, removing legacy keys, and restarting IIS to apply the new configuration.
Enterprise IT administrators are strongly advised to evaluate their CentreStack deployments promptly. Delaying remediations could pose significant risks to organizations, especially considering the observed exploitation of this vulnerability and the potential for complete server compromise.
In conclusion, the disclosure of this 0-day vulnerability in CentreStack highlights the importance of promptly addressing security issues in enterprise applications. Organizations must take immediate action to secure their deployments and mitigate the risk of malicious exploitation. The swift response from the CentreStack team underscores the significance of proactive security measures in the face of evolving cyber threats.