CVE-2025-30406
Published: 03 April 2025
Summary
CVE-2025-30406 is a critical-severity Use of Hard-coded Cryptographic Key (CWE-321) vulnerability in Gladinet Centrestack. Its CVSS base score is 9.0 (Critical).
Operationally, ranked in the top 0.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
Deeper analysis
Gladinet CentreStack through version 16.1.10296.56315 contains a deserialization vulnerability in the CentreStack portal stemming from use of a hardcoded machineKey, with the issue corrected in version 16.4.10315.56368. The weakness is tracked under CWE-321 and CWE-798 and carries a CVSS 3.1 score of 9.0 reflecting network attackability with high impact across confidentiality, integrity, and availability when the key is known.
An attacker in possession of the machineKey can craft and serialize a malicious payload that the server will deserialize, resulting in remote code execution. The vulnerability was exploited in the wild during March 2025, and successful exploitation requires no user interaction or prior authentication beyond knowledge of the key.
Vendor guidance and the referenced security advisory indicate that administrators can mitigate the issue by manually removing the machineKey entry from portal\web.config, while the CISA Known Exploited Vulnerabilities catalog lists the CVE and points to the Gladinet release notes for the patched build.
The high EPSS values, with a current score of 0.8536 and a peak of 0.8897, align with confirmed in-the-wild exploitation prior to the April 2025 disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-9671
Vulnerability details
Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, as exploited in the wild in March 2025. This enables threat actors (who know the machineKey) to serialize a payload for…
more
server-side deserialization to achieve remote code execution. NOTE: a CentreStack admin can manually delete the machineKey defined in portal\web.config.
- CWE(s)
- KEV Date Added
- 08 April 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Supplier evaluation and secure acquisition practices make it harder for hard-coded credentials to be introduced via procured products.
Requiring security functional requirements and acceptance criteria allows contracts to prohibit hard-coded credentials in delivered systems or components.
Supplier risk reviews identify and discourage hard-coded credentials in delivered products or services.
Enables users to notice when hard-coded credentials have been exploited for unauthorized access.
Security training explicitly warns against hard-coded credentials, lowering their use in systems.
Policy and procedures prohibit hard-coded credentials in favor of managed authentication.
External identity providers eliminate the need for hard-coded credentials in applications.
Changing default authenticators prior to first use and protecting content prevents use of hard-coded credentials.