Zero-Day in CentreStack Raises Concerns for MSPs and Enterprises

A recently disclosed zero-day vulnerability in Gladinet’s CentreStack file-sharing platform has triggered warnings across the cybersecurity community, reports Cybersecurity Dive. CVE-2025-30406, a deserialization flaw tied to the use of a hardcoded cryptographic key, allows remote code execution and has already been exploited in at least seven known cases, according to research published by Huntress. The flaw impacts both CentreStack and Triofox—Gladinet’s on-premises alternative for larger enterprises—though initial advisories did not immediately flag Triofox as vulnerable.

The vulnerability, added to CISA’s Known Exploited Vulnerabilities Catalog on April 9, stems from the reuse of default keys in the platform's configuration files. These keys, left unchanged during deployment, make it easier for attackers to execute standard attack chains and gain complete control over compromised environments. Huntress identified 120 CentreStack endpoints among its monitored systems, finding successful exploitation in seven separate organizations.

Though Triofox has not yet been observed in active exploit attempts, its exposure to the same hardcoded keys leaves a similar attack surface. The lack of early inclusion of Triofox in the CVE database or Gladinet’s initial advisory has raised concerns, particularly for organizations unaware that their deployments may be vulnerable. Gladinet has since issued separate guidance for Triofox, urging customers to upgrade or manually rotate the keys to reduce exposure.

Further analysis by Huntress revealed that attackers leveraged the flaw to deploy MeshCentral for remote access and move laterally across systems, indicating broader intent beyond initial compromise. While the attacks do not appear to be targeting managed service providers specifically, the nature of CentreStack’s deployment among MSPs means the impact could cascade across multiple client environments if left unaddressed.