Date of Disclosure (source): April 3, 2025
Date Reported as Actively Exploited (source): April 8, 2025
CVE-2025-30406 is a critical vulnerability affecting Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368). CentreStack contains a deserialization vulnerability due to the portal’s hardcoded machineKey use.
Example of Exposed Gladinet CentreStack Login Portal
| Field | Details |
|---|---|
| CVE-ID | CVE-2025-30406 – CVSS 9.8 (critical) – assigned by NVD |
| Vulnerability Description | The application uses a hardcoded or improperly protected machineKey in the IIS web[.]config file, which is responsible for securing ASP.NET ViewState data. If an attacker obtains or predicts the machineKey, they can forge ViewState payloads that pass integrity checks. In some scenarios, this can result in ViewState deserialization attacks, potentially leading to remote code execution (RCE) on the web server. |
| Date of Disclosure | April 3, 2025 |
| Affected Assets | Gladinet CentreStack (CentreStack portal’s hardcoded machineKey use) |
| Vulnerable Software Versions | Gladinet CentreStack through version 16.1.10296.56315. |
| PoC Available? | We did not observe any public exploits available at the time of writing. |
| Exploitation Status | This vulnerability is known to be actively exploited and was added to CISA KEV on April 8, 2025. |
| Patch Status | This vulnerability has been patched in version 16.4.10315.56368. The vendor has advised users to manually generate new machineKeys if patching their instances is not immediately possible. |
Censys Perspective
At the time of writing, Censys observed 12,694 exposed Gladinet CentreStack instances online, the overwhelming majority (12,229) were virtual hosts . Note that not all instances observed are necessarily vulnerable as we do not always have specific versions available. Note that we do see versions for these devices. However, given the active exploitation of this vulnerability and potential involvement from threat actors, we’ve omitted the vulnerable versions from this advisory.
Map of Exposed Gladinet CentreStack Instances:
The queries below can be used to identify exposed instances of Gladinet CentreStack, but they are not necessarily vulnerable to the exploit.
host.services.software: (vendor: “Gladinet” and product: “CentreStack”) or web.software: (vendor: “Gladinet” and product: “CentreStack”)
services.software: (vendor=”Gladinet” and product=”CentreStack”)
host.services.software: (vendor=”Gladinet” or product=”CentreStack”) or web_entity.instances.software: (vendor=”Gladinet” and product=”CentreStack”)
The query below can be used to identify exposed instances of Gladinet CentreStack that are vulnerable to the exploit.
risks.name = “Vulnerable Gladinet CentreStack [CVE-2025-30406]”
Please note that these fingerprints were recently deployed and results may take up to 24 hours to fully propagate.