Article Details
Scrape Timestamp (UTC): 2025-04-15 04:40:31.288
Source: https://thehackernews.com/2025/04/gladinets-triofox-and-centrestack-under.html
Original Article Text
Click to Toggle View
Gladinet's Triofox and CentreStack Under Active Exploitation via Critical RCE Vulnerability. A recently disclosed security flaw in Gladinet CentreStack also impacts its Triofox remote access and collaboration solution, according to Huntress, with seven different organizations compromised to date. Tracked as CVE-2025-30406 (CVSS score: 9.0), the vulnerability refers to the use of a hard-coded cryptographic key that could expose internet-accessible servers to remote code execution attacks. It has been addressed in CentreStack version 16.4.10315.56368 released on April 3, 2025. The vulnerability is said to have been exploited as a zero-day in March 2025, although the exact nature of the attacks is unknown. Now, according to Huntress, the weakness also affects Gladinet Triofox up to version 16.4.10317.56372. "By default, previous versions of the Triofox software have the same hardcoded cryptographic keys in their configuration file, and can be easily abused for remote code execution," John Hammond, principal cybersecurity researcher at Huntress, said in a report. Telemetry data gathered from its partner base has revealed that the CentreStack software is installed on about 120 endpoints and that seven unique organizations were affected by the exploitation of the vulnerability. The earliest sign of compromise dates back to April 11, 2025, 16:59:44 UTC. The attackers have been observed leveraging the flaw to download and sideload a DLL using an encoded PowerShell script, an approach seen in recent attacks using the CrushFTP flaw, followed by conducting lateral movement and installing MeshCentral for remote access. Huntress also said the attackers have been identified as running Impacket PowerShell commands to perform various enumeration commands and install MeshAgent. That said, the exact scale and the end goal of the campaigns are currently unknown. In light of active exploitation, it's essential that users of Gladinet CentreStack and Triofox update their instances to the latest version to safeguard against potential risks.
Daily Brief Summary
A critical remote code execution vulnerability in Gladinet's CentreStack and Triofox solutions has impacted seven organizations.
The flaw, tracked as CVE-2025-30406 with a severity of 9.0, involved a hardcoded cryptographic key exposing servers to remote attacks.
Although fixed in CentreStack version 16.4.10315.56368, the vulnerability was active as a zero-day in March 2025 before being addressed.
The vulnerability in Triofox persists up to version 16.4.10317.56372, affecting all previous versions due to similar insecure configurations.
Attackers exploited the vulnerability to download a malicious DLL via encoded PowerShell, mimicking tactics used in other recent breaches.
The attacks facilitated unauthorized lateral movements and installation of remote access tools like MeshCentral and MeshAgent on affected networks.
Huntress's telemetry indicated the CentreStack software was installed on approximately 120 endpoints across multiple partners.
Immediate updates to the latest software versions are urged for users of the affected Gladinet products to prevent further exploits.