A newly discovered security flaw affecting Gladinet CentreStack has also been found to impact its Triofox remote access and collaboration solution, with at least seven organizations having been compromised so far, according to Huntress.
Designated as CVE-2025-30406 (CVSS score: 9.0), this vulnerability arises from the use of a hard-coded cryptographic key, which exposes internet-accessible servers to remote code execution attacks.
A patch has been released in CentreStack version 16.4.10315.56368, which was made available on April 3, 2025. It is reported that this vulnerability was exploited as a zero-day in March 2025, although the specifics of the attacks remain unclear.
According to Huntress, the vulnerability also affects Gladinet Triofox versions up to 16.4.10317.56372.
“By default, previous versions of the Triofox software have the same hardcoded cryptographic keys in their configuration file, and can be easily abused for remote code execution,” stated John Hammond, principal cybersecurity researcher at Huntress, in a report.
Telemetry data collected from its partner base indicates that the CentreStack software is installed on approximately 120 endpoints, with seven unique organizations having been affected by the exploitation of this vulnerability.
The earliest sign of compromise dates back to April 11, 2025, at 16:59:44 UTC. The attackers were observed leveraging this flaw to download and sideload a DLL using an encoded PowerShell script, an approach seen in recent attacks utilizing the CrushFTP flaw, followed by conducting lateral movement and installing MeshCentral for remote access.
Huntress also reported that the attackers were identified running Impacket PowerShell commands to perform various enumeration commands and install MeshAgent. However, the exact scale and the end goal of these campaigns remain unknown at this time.
In light of active exploitation, it is essential that users of Gladinet CentreStack and Triofox update their instances to the latest version to safeguard against potential risks.
