Summary: Security researchers from Huntress are reporting the active exploitation of a critical vulnerability (CVE-2025-30406) in Gladinet CentreStack and Triofox software, which has affected seven organizations and approximately 120 endpoints. The flaw arises from hardcoded cryptographic keys in default configurations, enabling remote code execution attacks. Huntress detected anomalous activity suggesting that threat actors are executing malicious commands through PowerShell to exploit these vulnerabilities.
Affected: Gladinet CentreStack and Triofox software
Keypoints :
- Vulnerability CVE-2025-30406 has a CVSS score of 9/10 and was added to CISA’s KEV catalog.
- Attackers use default cryptographic keys to bypass ASPX ViewState protections and gain control over servers.
- Huntress detected suspicious activity through the IIS worker process, leading to a series of alerts and investigations.
- Patch updates have been issued by Gradient, which are effective against the exploits observed.