CentreStack Under Active Attack Hard-Coded Key Opens Door to Remote Control

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) just dropped a new alert. On Tuesday, they added a critical security vulnerability in Gladinet CentreStack to their Known Exploited Vulnerabilities (KEV) catalog. This means bad actors are actively using this flaw "in the wild," so pay attention!

The vulnerability, labeled CVE-2025-30406 and scoring a hefty 9.0 on the CVSS scale, boils down to a hard-coded cryptographic key. In simple terms, this key, if compromised, could allow attackers to remotely execute code on affected systems. Gladinet addressed this issue in version 16.4.10315.56368, which was released on April 3, 2025.

According to CISA, "Gladinet CentreStack contains a use of hard-coded cryptographic key vulnerability in the way that the application manages keys used for ViewState integrity verification." The result? A successful exploit lets an attacker whip up forged ViewState payloads for server-side deserialization, ultimately leading to remote code execution.

The core issue is the use of a hard-coded "machineKey" within the IIS web.config file. If a threat actor gets their hands on this "machineKey," they can serialize a payload for server-side deserialization, paving the way for remote code execution. Not good!

Right now, details are scarce regarding the specific methods of exploitation, the identity of the attackers, or the targets of these attacks. However, the CVE description notes that CVE-2025-30406 was exploited as a zero-day in March 2025, suggesting it's been actively used for a while.

Gladinet has also acknowledged that "exploitation has been observed in the wild," urging customers to patch their systems ASAP. If you can't patch immediately, they recommend rotating the machineKey value as a temporary workaround.