The US cybersecurity agency CISA on Tuesday urged organizations to urgently patch two exploited zero-day vulnerabilities in Gladinet CentreStack and Microsoft Windows.
Tracked as CVE-2025-30406 (CVSS score of 9), the CentreStack bug was disclosed on April 3, when Gladient announced patches for it, warning that it has been exploited in the wild since March. There does not appear to be any public information on these attacks.
The issue impacts the way the cloud server and collaboration platform manages cryptographic keys used for ViewState integrity verification, allowing an attacker to forge data and execute arbitrary code remotely.
“The application uses a hardcoded or improperly protected machineKey in the IIS web config file, which is responsible for securing ASP.NET ViewState data. If an attacker obtains or predicts the machineKey, they can forge ViewState payloads that pass integrity checks,” Gladient explains in its advisory (PDF).
In certain configurations, the company explains, ViewState deserialization attacks can be mounted, potentially resulting in remote code execution (RCE) on the web server.
Gladient addressed the vulnerability in CentreStack 16.4.10315.56368, urging organizations to update immediately or rotate the machineKey values as an interim mitigation.
“The latest build now automatically generates a new machine key during installation to enhance system security,” the company said.
The Windows flaw, tracked as CVE 2025-29824 (CVSS score of 7.8), is described as a use-after-free issue in the platform’s Common Log File System (CLFS) driver that could be used to elevate privileges locally.
Microsoft released fixes for the security defect on April 2025 Patch Tuesday, warning that it has observed a threat actor exploiting it against organizations in the US, Venezuela, Spain, and Saudi Arabia. The PipeMagic malware, which has been used in ransomware attacks, was used to deploy the exploit.
On Tuesday, CISA added both flaws to the Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply the available patches and mitigations by April 29, as mandated by Binding Operational Directive (BOD) 22-01.
Although the directive only applies to federal agencies, all organizations are advised to review the KEV list, identify affected applications and devices within their environments, and address the security defects immediately.
Related: Exploitation Long Known for Most of CISA’s Latest KEV Additions
Related: DrayTek Vulnerabilities Added to CISA KEV Catalog Exploited in Global Campaign
Related: ESET Vulnerability Exploited for Stealthy Malware Execution
Related: Firefox Affected by Flaw Similar to Chrome Zero-Day Exploited in Russia
