A severe remote code execution (RCE) vulnerability has been discovered in the CentreStack file-sharing platform, with attackers actively exploiting the flaw since March 2025.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability, tracked as CVE-2025-30406, to its Known Exploited Vulnerabilities catalog on Tuesday.
CentreStack, a platform used by managed service providers (MSPs) to provide cloud file services to customers, contains a critical deserialization vulnerability stemming from hardcoded security keys in its configuration.
According to Gladinet, the platform's developer, the flaw exists in the IIS web.config file's machineKey implementation. Attackers who obtain or predict this key can forge malicious payloads that bypass security checks, potentially leading to unauthorized code execution on affected servers.
The vulnerability impacts CentreStack versions up to v16.1.10296.56315. Gladinet has released a patched version (16.4.10315.56368) that automatically generates unique machine keys during installation.
The same vulnerability also affects Triofox, Gladinet's enterprise file sharing solution, where active exploitation has been observed. A security update (v16.4.10317.56372) is available for Triofox installations.
Organizations running affected versions are strongly advised to update to the latest release. Those unable to update immediately should manually generate and implement new machine keys as a temporary mitigation measure.
This incident joins a growing list of attacks targeting enterprise file transfer solutions, following similar breaches involving MOVEit, Cleo, GoAnywhere, and CrushFTP platforms over the past two years.