This article discusses the exploitation of Gladinet CentreStack and Triofox due to the CVE-2025-30406 vulnerability, which involves hardcoded cryptographic keys in their configuration files. This security flaw has potentially affected multiple organizations leading to serious remote code execution risks and ongoing security incidents. Affected: Gladinet CentreStack, Gladinet Triofox, IIS web servers, multiple organizations
Keypoints :
- CVE-2025-30406 is a critical vulnerability (9.0 severity).
- Hardcoded keys in Gladinet software configurations expose servers to exploitation.
- At least seven organizations have been compromised through this vulnerability.
- More than a few hundred vulnerable servers are exposed on the internet.
- The exploit allows for remote code execution that can escalate privileges to system level.
- Mitigation requires patching to version 16.4.10315.56368 for CentreStack and 16.4.10317.56372 for Triofox.
- PowerShell scripts are available to help assess and remediate this vulnerability.
- Threat actors are actively exploiting this vulnerability as indicated by communication to known attacker IPs.
- Huntress has developed tools for organizations to detect and mitigate this vulnerability.
MITRE Techniques :
- Execution (T1203) β Use of a power shell command to execute remote code directly through IIS.
- Credential Access (T1110) β The use of hardcoded keys for unauthorized access to system components.
- Privilege Escalation (T1068) β Exploiting the vulnerability can lead to higher privileges on the compromised system.
Indicator of Compromise :
- [Hash] d3d11.dll (48b006cb17e75ecdb707dc40dd654f449b94abe49f97a808b35cabca1c5fabbf)
- [Hash] Centre.exe (30981d4082b58704d12a376c3cbb12fecb8a36c2bce64666315e26aef21e75c2)
- [IP Address] 165.227.7[.]206
- [IP Address] 104.21.16[.]1
- [IP Address] 104.21.48[.]1