Security

Critical Zero-Day Flaw in CentreStack Exploited to Compromise File Sharing Servers

tuffbrownboy

Overview of the Breach

Since March, cybercriminals have exploited a zero-day vulnerability in Gladinet CentreStack’s sophisticated file-sharing software, leading to significant breaches of storage servers.

What is Gladinet CentreStack?

Gladinet CentreStack transforms traditional on-premises file servers into secure, cloud-like ecosystems. It facilitates remote access, file syncing and sharing, and supports multi-tenant architectures along with Active Directory integration. This solution serves thousands of businesses globally, benefitting entities requiring cloud features without full migration.

Detailed Analysis of the Vulnerability

This critical flaw, identified as CVE-2025-30406, is a deserialization issue affecting versions up to 16.1.10296.56315. Attackers exploit this vulnerability by utilizing a hardcoded machineKey in the CentreStack configuration, allowing the execution of malicious serialized payloads.

Immediate Actions and Mitigations

Gladinet has issued a security update for CVE-2025-30406 as of April 3, 2025. Available versions include 16.4.10315.56368 for general platforms, 16.3.4763.56357 for Windows, and 15.12.434 for macOS. It’s crucial for users to upgrade promptly or alter the ‘machineKey’ in configuration files as an interim solution.

  • Ensure consistency across multi-server setups when rotating the machineKey.
  • Restart IIS after changes to enforce the security measures effectively.

Additional Vendor Recommendations

The vendor strongly advises updating to the patched versions to enhance key management and reduce risks. For those unable to update immediately, rotating the machineKey is advised as a temporary protective measure.

Government and Industry Response

The Cybersecurity and Infrastructure Security Agency (CISA) has recognized CVE-2025-30406 as a Known Exploited Vulnerability but hasn’t linked it directly to ransomware activities. Nonetheless, the sophisticated nature of this vulnerability suggests a high likelihood of its exploitation in data theft incidents, similar to past attacks attributed to entities like the Clop ransomware gang.

Agencies impacted have a deadline of April 29, 2025, by CISA to implement the necessary security updates or discontinue the compromised product.

Related: Hellcat Ransomware Updated It’s Arsenal to Attack Government, Education, and Energy Sectors

Last Updated: April 9, 2025

Post Views: 27

Related Posts