A critical zero-day vulnerability in Gladinet’s CentreStack, a file-sharing platform heavily used by managed services providers (MSPs). Has been actively exploited since March 2025, raising alarms across the cybersecurity industry.
The flaw, tracked as CVE-2025-30406, is a deserialization vulnerability tied to insecure cryptographic practices. According to entries in both the National Vulnerability Database (NVD) and CVE.org. Attackers have been leveraging this bug in live environments well before it was publicly disclosed on April 3. In its security advisory, Gladinet confirmed evidence of exploitation in the wild.
On April 9, the Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog. All federal civilian executive branch agencies have been ordered to apply patches no later than April 29.
What Makes CVE-2025-30406 Dangerous?
At the heart of the issue is CentreStack’s use of a hardcoded or improperly secured machineKey in the IIS web.config file. This key is critical for securing ASP.NET ViewState data, which determines whether incoming data is trustworthy.
According to Süleyman Özarslan, co-founder of Picus Security, if a threat actor obtains or guesses this machineKey, they can craft malicious ViewState payloads that bypass integrity checks. “That allows remote code execution (RCE) via server-side deserialization,” Özarslan explained.
Why MSPs Are Especially at Risk
CentreStack is marketed directly to MSPs and IT solution providers, offering features like multi-tenancy, Active Directory integration, and white-label support. These capabilities make it ideal for managing large client bases, but they also introduce significant risk. If an attacker compromises an MSP’s CentreStack instance, they may gain privileged access to dozens or even hundreds of downstream networks.
CentreStack is used by over 1,000 MSPs worldwide, according to Gladinet’s website. This extensive adoption makes it a high-value target. The situation is reminiscent of the 2024 attacks involving ConnectWise’s ScreenConnect, which threat actors exploited at scale to deploy ransomware to MSP clients.
Urgent Patching of CentreStack Recommended
To mitigate CVE-2025-30406, Gladinet urges customers to upgrade to version 16.4.10315.56368, which includes a fix that automatically generates a unique machineKey for each deployment. For customers who can’t update immediately, rotating machineKey values is advised as a temporary mitigation step.
While the full scope of exploitation remains unclear, the vulnerability poses a serious risk to any MSP or enterprise running outdated CentreStack versions. As of this writing, Gladinet has not responded to media inquiries regarding the nature or extent of the attacks.
