SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2025-30406

CVE-2025-30406: Gladinet CentreStack RCE Vulnerability

CVE-2025-30406 is a deserialization RCE vulnerability in Gladinet CentreStack caused by hardcoded machineKey usage. Exploited in the wild, it allows attackers to execute arbitrary code remotely. This article covers technical details, affected versions, impact, and mitigation strategies.

Updated:

CVE-2025-30406 Overview

Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, as exploited in the wild in March 2025. This enables threat actors (who know the machineKey) to serialize a payload for server-side deserialization to achieve remote code execution. A CentreStack admin can manually delete the machineKey defined in portal\web.config.

Critical Impact

This vulnerability allows unauthenticated remote attackers to execute arbitrary code on affected systems, leading to complete control over the server.

Affected Products

  • Gladinet CentreStack 16.1.10296.56315
  • Versions prior to 16.4.10315.56368
  • All configurations using hardcoded machineKey

Discovery Timeline

  • 2025-04-03T20:15:24.987 - CVE CVE-2025-30406 published to NVD
  • 2025-11-05T19:27:44.190 - Last updated in NVD database

Technical Details for CVE-2025-30406

Vulnerability Analysis

The vulnerability arises from the use of a hardcoded machineKey within the CentreStack portal. This enables an attacker who has knowledge of the machineKey to craft a serialized payload. Upon deserialization on the server-side, this payload can lead to remote code execution.

Root Cause

The root cause is the insecure deserialization process via a hardcoded machineKey, leading to potential arbitrary code execution.

Attack Vector

The attack can be executed over the network by sending a maliciously crafted payload that will be deserialized on the server.

java
// Example exploitation code (sanitized)
import java.io.*;

public class Exploit {
    public static void main(String[] args) {
        try {
            // Sample pseudo-code for crafting payload
            String payload = "malicious serialized object";
            // Send to vulnerable endpoint
            // VulnerableEndpoint.processPayload(payload);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

Detection Methods for CVE-2025-30406

Indicators of Compromise

  • Unusual outbound network traffic
  • Anomalous process behavior
  • Unexpected changes to system configurations

Detection Strategies

Implement network monitoring for suspicious serialized object communications. Utilize endpoint detection systems to analyze unexpected process executions.

Monitoring Recommendations

Regularly audit server configurations for hardcoded keys. Monitor for changes in system behavior that do not match known patterns.

How to Mitigate CVE-2025-30406

Immediate Actions Required

  • Remove the hardcoded machineKey from portal\web.config
  • Update to the fixed version 16.4.10315.56368 or later
  • Ensure secure configurations by revisiting all environment settings

Patch Information

The issue is fixed in CentreStack version 16.4.10315.56368. Users are encouraged to upgrade as per the vendor advisory.

Workarounds

Admin can manually delete or update the machineKey defined in portal\web.config to prevent unauthorized deserialization.

bash
# Configuration example
sed -i '/machineKey/d' portal/web.config

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne