Hackers have exploited a zero-day vulnerability in Gladinet CentreStack’s file-sharing software since March 2025. This flaw, identified as CVE-2025-30406, affects versions up to 16.1.10296.56315. The vulnerability stems from the use of a hardcoded machineKey in the CentreStack portal’s configuration, which could allow attackers to forge serialized payloads for execution on the server. If an attacker gains knowledge of this machineKey, they can bypass integrity checks and execute remote code on the server.
Gladinet CentreStack is a file-sharing and access platform that helps businesses manage file servers.
It is widely used across 49 countries by organizations requiring secure cloud-like access to on-premise servers. The deserialization vulnerability, caused by improper key protection, allows attackers to craft malicious payloads that exploit the system. Exploitation of this flaw has been actively observed since March 2025, raising concerns about potential data theft attacks.
In response, Gladinet released a security fix on April 3, 2025, addressing the vulnerability in version 16.4.10315.56368 and other updates for different platforms. Users are strongly encouraged to upgrade to the patched version to mitigate risks. For those unable to apply updates immediately, rotating the machineKey in both ‘root\web.config’ and ‘portal\web.config’ is recommended as an interim solution.
However, consistency across multi-server environments must be ensured to avoid operational issues.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this flaw to its Known Exploited Vulnerabilities catalog. Although there is no indication that ransomware groups have exploited this flaw yet, CISA has urged federal and state organizations to apply the patch by April 29, 2025. Given the nature of the vulnerability, it is believed to be exploited for data theft, potentially by threat actors like the Clop ransomware gang, who have previously targeted similar file-sharing systems.
