A newly reported security flaw, CVE-2025-30406, affects both Gladinet CentreStack and Triofox, exposing organizations to potential remote code execution attacks. As of now, seven organizations have been compromised because of this flaw, which is attributed to the use of hard-coded cryptographic keys. The issue has been patched in version 16.4.10315.56368 of CentreStack, released on April 3, 2025. Users are advised to urgently update their software. Telemetry suggests significant exploitation which includes downloading malicious files and lateral movement by attackers.
By default, previous versions of the Triofox software have the same hardcoded cryptographic keys in their configuration file, and can be easily abused for remote code execution.
Telemetry data gathered from its partner base has revealed that the CentreStack software is installed on about 120 endpoints and that seven unique organizations were affected by the exploitation of the vulnerability.
The earliest sign of compromise dates back to April 11, 2025, 16:59:44 UTC, with attackers leveraging the flaw to download and sideload a DLL using an encoded PowerShell script.
In light of active exploitation, it's essential that users of Gladinet CentreStack and Triofox update their instances to the latest version to safeguard against potential risks.
Collection
[
|
...
]