CVE-2025-30406 is a critical security vulnerability affecting Gladinet CentreStack and Triofox software versions below 16.4.10315.56368 and 16.4.10317.56372 respectively. The root cause of the vulnerability is the presence of hardcoded cryptographic keys within configuration files that protect the ASP.NET ViewState data. ViewState is a mechanism used in ASP.NET applications to preserve page and control state between HTTP requests, relying on cryptographic keys to ensure the integrity and confidentiality of the data. Because the keys are hardcoded and thus predictable, attackers can craft malicious ViewState payloads that the server accepts as valid, bypassing protections. This flaw enables remote code execution (RCE) on vulnerable servers without requiring authentication or user interaction, leading to immediate system compromise. Furthermore, attackers can escalate privileges, gaining elevated access rights on the compromised system. Post-exploitation activities observed include downloading malicious DLL files, lateral movement within internal networks, and installation of remote access tools such as MeshCentral, which provide persistent access and further control over the environment. The vulnerability primarily targets internet-facing servers running vulnerable versions of CentreStack or Triofox, which are enterprise file sharing and synchronization platforms widely used in corporate environments. Exploitation leverages the ASP.NET ViewState mechanism by abusing weak cryptographic protections due to hardcoded keys, undermining the confidentiality and integrity of the ViewState data and enabling arbitrary code injection. Mitigation requires immediate patching by applying vendor updates or upgrading to fixed versions. If patches are unavailable, changing the machineKey values to unique, strong cryptographic keys invalidates the hardcoded keys and prevents exploitation. Additional defensive measures include network segmentation, restricting internet exposure, monitoring for specific indicators of compromise such as known malicious file hashes and suspicious domains (e.g., rtb.mftadsrvr.com), and hardening ASP.NET configurations by disabling ViewState if not required or enabling strong MAC validation. Given the active exploitation in the wild and the severity of the impact, organizations using these products must prioritize remediation and monitoring to prevent compromise and lateral movement within their networks.

For European organizations, CVE-2025-30406 poses a significant threat, especially for enterprises relying on Gladinet CentreStack and Triofox for file sharing and synchronization services. Successful exploitation can lead to full system compromise, unauthorized access to sensitive corporate data, and potential data breaches. The ability to execute remote code and escalate privileges facilitates deployment of malware, lateral movement, and persistent access, which can disrupt business operations and damage reputation. Sectors such as finance, healthcare, and government are particularly vulnerable due to strict data protection regulations like GDPR; breaches could result in severe legal and financial penalties. The use of remote access tools like MeshCentral post-exploitation increases the risk of long-term espionage or sabotage. The attack surface is heightened for organizations with internet-facing servers or hybrid cloud deployments. Detection is complicated by the use of hardcoded keys, which may allow stealthy intrusions without obvious signs. Overall, the vulnerability threatens the confidentiality, integrity, and availability of critical systems within European enterprises, necessitating urgent mitigation.

1. Immediately apply the latest vendor patches for Gladinet CentreStack and Triofox or upgrade to versions 16.4.10315.56368 (CentreStack) and 16.4.10317.56372 (Triofox) or later. 2. Replace hardcoded machineKey cryptographic keys with unique, strong keys to invalidate existing keys and prevent ViewState tampering. 3. Segment networks to isolate servers running CentreStack and Triofox, restricting access to only necessary services and trusted IP addresses. 4. Minimize or eliminate direct internet exposure of vulnerable servers by implementing reverse proxies, VPNs, or adopting zero-trust access models. 5. Configure intrusion detection/prevention systems and endpoint detection tools to monitor for known malicious file hashes and suspicious domains such as rtb.mftadsrvr.com. 6. Harden ASP.NET configurations by disabling ViewState if not required or enabling ViewState MAC validation with strong cryptographic keys to prevent tampering. 7. Conduct thorough forensic investigations if compromise is suspected, focusing on lateral movement and persistence mechanisms including MeshCentral installations. 8. Educate IT and security teams about this specific vulnerability and exploitation techniques to enhance detection and response capabilities. 9. Ensure reliable and tested backup and recovery procedures are in place to enable rapid restoration in case of ransomware or destructive attacks following exploitation.