CVE-2025-30406: Gladinet CentreStack Deserialization Vulnerability Allows Remote Code Execution

Introduction: Gladinet CentreStack is an enterprise file sync and share solution that enables organizations to sync, access, and share data across multiple devices. In March 2025, it was discovered that a deserialization vulnerability existed in CentreStack versions through 16.1.10296.56315, which was later fixed in version 16.4.10315.56368. This vulnerability enables threat actors to achieve remote code execution on affected CentreStack instances if they know the hardcoded machineKey.

Exploit Details: The deserialization vulnerability in CentreStack is due to the CentreStack portal's hardcoded use of the machineKey. This machineKey is defined in the portal\web.config file and can be manually deleted by a CentreStack admin. However, if a threat actor knows the machineKey, they can craft a payload for server-side deserialization and achieve remote code execution on the CentreStack server.

To exploit this vulnerability, a threat actor can send a specially crafted HTTP POST request containing a serialized payload to the CentreStack server. The server will then deserialize the payload using the hardcoded machineKey, allowing the attacker to execute malicious code on the server.

Code Snippet: To exploit this vulnerability, an attacker may use a script similar to the one shown below.

import requests
import sys

# Replace this with the target CentreStack URL
target_url = "http://target-centrestack-url";

# Serialized payload containing malicious code, crafted using the known machineKey
serialized_payload = "your-serialized-payload"

# Send the HTTP POST request containing the serialized payload
response = requests.post(target_url, data={"ViewState": serialized_payload})

# Check the response status code for success
if response.status_code == 200:
    print("Successfully exploited the vulnerability.")
else:
    print(f"Exploit failed with response status code: {response.status_code}")

Original References: This vulnerability was tracked as CVE-2025-30406 and was published in the Common Vulnerabilities and Exposures (CVE) database. More details and references can be found at the following links:

1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30406
2. https://nvd.nist.gov/vuln/detail/CVE-2025-30406

Mitigation: To mitigate this vulnerability, admins should update the affected CentreStack instances to version 16.4.10315.56368 or higher, as the vulnerability has been fixed in this version. Additionally, CentreStack admins can manually delete the hardcoded machineKey defined in the portal\web.config file to prevent server-side deserialization using the known machineKey.

Conclusion: The Gladinet CentreStack deserialization vulnerability (CVE-2025-30406) has significant security implications, as it allows threat actors to remotely execute code on affected servers. Organizations running vulnerable instances of CentreStack should take immediate action to update their systems and remove the hardcoded machineKey from their portal\web.config file to prevent exploitation. In the future, it is essential for software developers to avoid using hardcoded cryptographic keys and to follow secure coding practices to minimize the risk of such vulnerabilities.

Timeline

Published on: 04/03/2025 20:15:24 UTC
Last modified on: 04/10/2025 16:19:51 UTC