Cyber Resilience

CVE-2025-30406

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 03 April 2025

Published
03 April 2025
Modified
05 November 2025
KEV Added
08 April 2025
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.8536 99.4th percentile
Risk Priority 89 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30406 is a critical-severity Use of Hard-coded Cryptographic Key (CWE-321) vulnerability in Gladinet Centrestack. Its CVSS base score is 9.0 (Critical).

Operationally, ranked in the top 0.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

Deeper analysis

Gladinet CentreStack through version 16.1.10296.56315 contains a deserialization vulnerability in the CentreStack portal stemming from use of a hardcoded machineKey, with the issue corrected in version 16.4.10315.56368. The weakness is tracked under CWE-321 and CWE-798 and carries a CVSS 3.1 score of 9.0 reflecting network attackability with high impact across confidentiality, integrity, and availability when the key is known.

An attacker in possession of the machineKey can craft and serialize a malicious payload that the server will deserialize, resulting in remote code execution. The vulnerability was exploited in the wild during March 2025, and successful exploitation requires no user interaction or prior authentication beyond knowledge of the key.

Vendor guidance and the referenced security advisory indicate that administrators can mitigate the issue by manually removing the machineKey entry from portal\web.config, while the CISA Known Exploited Vulnerabilities catalog lists the CVE and points to the Gladinet release notes for the patched build.

The high EPSS values, with a current score of 0.8536 and a peak of 0.8897, align with confirmed in-the-wild exploitation prior to the April 2025 disclosure.

EU & UK References

Vulnerability details

Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, as exploited in the wild in March 2025. This enables threat actors (who know the machineKey) to serialize a payload for…

more

server-side deserialization to achieve remote code execution. NOTE: a CentreStack admin can manually delete the machineKey defined in portal\web.config.

CWE(s)
KEV Date Added
08 April 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

gladinet
centrestack
≤ 16.4.10315.56368

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-798 CWE-321

Supplier evaluation and secure acquisition practices make it harder for hard-coded credentials to be introduced via procured products.

addresses: CWE-798 CWE-321

Requiring security functional requirements and acceptance criteria allows contracts to prohibit hard-coded credentials in delivered systems or components.

addresses: CWE-798 CWE-321

Supplier risk reviews identify and discourage hard-coded credentials in delivered products or services.

addresses: CWE-798

Enables users to notice when hard-coded credentials have been exploited for unauthorized access.

addresses: CWE-798

Security training explicitly warns against hard-coded credentials, lowering their use in systems.

addresses: CWE-798

Policy and procedures prohibit hard-coded credentials in favor of managed authentication.

addresses: CWE-798

External identity providers eliminate the need for hard-coded credentials in applications.

addresses: CWE-798

Changing default authenticators prior to first use and protecting content prevents use of hard-coded credentials.

References