Hackers have been exploiting a zero-day vulnerability in Gladinet CentreStack’s secure file-sharing platform since March 2025 to breach enterprise storage servers, reported by BleepingComputer. CentreStack allows businesses to convert on-premise Windows file servers into cloud-like systems with secure remote access, file syncing, and integration with Active Directory. The platform is used by thousands of organizations across 49 countries, including managed service providers and enterprises needing cloud-style functionality without full cloud migration.
The flaw, tracked as CVE-2025-30406, is a deserialization vulnerability affecting versions up to 16.1.10296.56315. It arises from a hardcoded machineKey in the software’s configuration, which attackers can exploit to inject malicious serialized objects into the system. This allows them to bypass security checks and execute arbitrary code, putting sensitive data and systems at risk.
Gladinet released patches on April 3, 2025, urging users to upgrade to the latest versions for Windows and macOS or, alternatively, rotate the machineKey manually as a temporary safeguard. The company emphasizes that organizations using multi-server setups must ensure key consistency across all nodes and restart IIS after changes to activate the mitigation.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has listed CVE-2025-30406 in its Known Exploited Vulnerability catalog, requiring federal and state entities to patch or stop using the product by April 29, 2025. While no ransomware group has been officially linked, the nature of the vulnerability suggests it's being leveraged for data theft, similar to past attacks by the Clop ransomware gang targeting other file transfer platforms.
