Overview
Gladinet CentreStack contains a critical server-side deserialization vulnerability caused by a hardcoded machineKey in the portal. This vulnerability allows remote attackers with knowledge of the machineKey to achieve remote code execution (RCE) on the affected server. The vulnerability affects CentreStack through version 16.1.10296.56315. The vulnerability was disclosed on April 3, 2025. CISA has identified CVE-2025-30406 as being exploited but is not currently known to be used in ransomware campaigns.
Technical details
Gladinet CentreStack contains a server-side deserialization vulnerability stemming from the use of a hardcoded machineKey within the portal application. The machineKey is a cryptographic key used by ASP.NET to encrypt and decrypt sensitive data such as view state and authentication tokens. When a machineKey is hardcoded and publicly known (or easily discoverable), attackers can craft malicious serialized objects that bypass authentication and integrity checks. By exploiting the deserialization of untrusted data combined with the known machineKey, attackers can instantiate arbitrary .NET objects, potentially leading to remote code execution on the server.
The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) , CWE-798 (Use of Hardcoded Credentials) andCWE-327 (Use of a Broken or Risky Cryptographic Algorithm) .
The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating its critical nature.
Impact
An attacker with knowledge of the hardcoded machineKey can craft malicious serialized .NET objects and send them to the CentreStack portal. Upon deserialization, these objects can execute arbitrary code with the privileges of the CentreStack application (typically running as a system service). This leads to complete compromise of the affected server, including data theft, system modification, denial of service, lateral movement within the network, and potential deployment of malware or ransomware.
Mitigation and workarounds
Upgrade to CentreStack version 16.2.0 or later. Alternatively, apply the security patch for version 16.1 (build 16.1.10296.56410 or later). Administrators should download the latest version from the Gladinet portal, backup their current configuration, and follow the standard upgrade procedure. After patching, restart the CentreStack services and verify the deployment. The following versions include the necessary fixes: CentreStack 16.2.0 and later, CentreStack 16.1.10296.56410 (patched version).
As temporary workarounds: restrict network access to the centrestack portal to trusted ip addresses only using firewall rules or network segmentation. this reduces the attack surface by limiting who can attempt exploitation.; implement rate limiting and request filtering on the centrestack portal to detect and block suspicious deserialization attempts or unusual request patterns.; disable unnecessary features or endpoints in the centrestack portal that are not required for operations, reducing the attack surface., and monitor centrestack logs and system activity for signs of exploitation, including unusual deserialization errors, unexpected process execution, or abnormal network connections..
CISA's recommendation: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Additional resources
Source: This report was generated using AI
