CVE-2025-30406

CRITICAL KEV NUCLEI

Gladinet CentreStack < 16.4.10315.56368 Use of Hard-coded Key Leads to Unauthenticated RCE

Title source: nuclei
STIX 2.1

Exploitation Summary

CVE-2025-30406 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added April 8, 2025. EIP tracks 5 public exploits from researchers including mchklt, W01fh4cker, threadpoolx, including a Metasploit module auxiliary/gather/gladinet_storage_path_traversal_cve_2025_11371. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional Proof-of-Concept (PoC) for CVE-2025-30406, a ViewState deserialization vulnerability in ASP.NET applications. The exploit uses ysoserial to generate a malicious payload and includes a custom HTTP server for exfiltrating command output.

Description

Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, as exploited in the wild in March 2025. This enables threat actors (who know the machineKey) to serialize a payload for server-side deserialization to achieve remote code execution. NOTE: a CentreStack admin can manually delete the machineKey defined in portal\web.config.

Exploits (5)

nomisec WORKING POC 88 stars
by mchklt · remote
https://github.com/mchklt/CVE-2025-30406

This repository contains a functional Proof-of-Concept (PoC) for CVE-2025-30406, a ViewState deserialization vulnerability in ASP.NET applications. The exploit uses ysoserial to generate a malicious payload and includes a custom HTTP server for exfiltrating command output.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ASP.NET applications with vulnerable ViewState configurations
No auth needed
Prerequisites: Valid ViewState validation key and generator · Vulnerable endpoint accepting ViewState parameters · ysoserial executable · Python 3.x with requests library
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 12 stars
by W01fh4cker · remote
https://github.com/W01fh4cker/CVE-2025-30406

This PoC exploits a deserialization vulnerability in Microsoft PowerShell Editor Services, leveraging a crafted serialized payload to achieve remote code execution. The payload includes a malicious resource dictionary with embedded XAML and C# code execution.

Classification
Working Poc 90%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Microsoft PowerShell Editor Services (likely related to Visual Studio or VS Code extensions)
No auth needed
Prerequisites: Target system must be running vulnerable version of PowerShell Editor Services · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by threadpoolx · remote
https://github.com/threadpoolx/CVE-2025-30406-CentreStack-Triofox-Deserialization-RCE

This is a detailed writeup explaining CVE-2025-30406, a critical insecure deserialization vulnerability in CentreStack and Triofox due to a hardcoded machineKey. It describes the attack chain, exploitation logic, and mitigation steps.

Classification
Writeup 100%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: CentreStack & Triofox
No auth needed
Prerequisites: Knowledge of the hardcoded machineKey · Access to a vulnerable endpoint using ViewState or serialized objects
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
by Huntress Team · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/gladinet_storage_path_traversal_cve_2025_11371.rb

This Metasploit module exploits a path traversal vulnerability (CVE-2025-11371) in Gladinet CentreStack/Triofox, allowing unauthenticated attackers to read arbitrary files via the `/storage/t.dn` endpoint by manipulating the `s` parameter. It includes functionality to extract the machineKey from Web.config for potential follow-up attacks.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Gladinet CentreStack/Triofox versions up to 16.10.10408.56683
No auth needed
Prerequisites: Network access to the target server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Huntress Team, H00die Gr3y · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/gladinet_viewstate_deserialization_cve_2025_30406.rb

This Metasploit module exploits a ViewState deserialization vulnerability in Gladinet CentreStack/Triofox due to hardcoded machine keys, allowing remote code execution via forged ViewState payloads.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Gladinet CentreStack (<=16.4.10315.56368), Gladinet Triofox (<=16.4.10317.56372)
No auth needed
Prerequisites: Access to the target web application · Hardcoded or extracted machine key
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Gladinet CentreStack < 16.4.10315.56368 Use of Hard-coded Key Leads to Unauthenticated RCE
CRITICALVERIFIEDby iamnoooob,rootxharsh,pdresearch
Shodan: http.favicon.hash:1163764264

References (3)

Core 3

Scores

CVSS v3 9.0
EPSS 0.8536
EPSS Percentile 99.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2025-04-08
VulnCheck KEV 2025-04-04
ENISA EUVD EUVD-2025-9671
CWE
CWE-321 CWE-798
Status published
Products (1)
gladinet/centrestack < 16.4.10315.56368
Published Apr 03, 2025
KEV Added Apr 08, 2025
Tracked Since Feb 18, 2026