A critical zero-day vulnerability in Gladinet CentreStack’s enterprise file-sharing software has been actively exploited by hackers since March 2025, potentially exposing thousands of businesses to remote code execution attacks.
Gladinet CentreStack is widely used by managed service providers (MSPs) and enterprises with Windows-based file servers, offering cloud-like remote access, file syncing, and Active Directory integration without the need for full cloud migration. The company claims its software is deployed across 49 countries.
The flaw, now tracked as CVE-2025-30406, affects CentreStack versions up to 16.1.10296.56315 and stems from a hardcoded machineKey in the web application’s configuration file. This key secures ASP.NET ViewState data, and if known, allows attackers to forge trusted data payloads. This could let threat actors inject malicious serialized objects and gain remote code execution on vulnerable servers.
Gladinet confirmed exploitation in the wild and issued an emergency security patch on April 3, 2025, addressing the vulnerability in versions 16.4.10315.56368, 16.3.4763.56357 (Windows), and 15.12.434 (macOS). The company advises all users to update immediately or manually rotate the machineKey values in both root\web.config and portal\web.config files as an interim mitigation.
“Exploitation has been observed in the wild. We strongly recommend updating to the patched version, which improves key management and mitigates exposure. For customers who cannot update immediately, rotating the machineKey values is a recommended interim mitigation,” Gladinet advised.
The US Cybersecurity and Infrastructure Security Agency (CISA) has recently added CVE-2025-30406 to its Known Exploited Vulnerabilities catalog, indicating active exploitation.
