A recently disclosed security flaw in Gladinet CentreStack also impacts its Triofox remote access and collaboration solution, according to Huntress, with seven different organizations compromised to date.
Tracked as CVE-2025-30406 (CVSS score: 9.0), the vulnerability refers to the use of a hard-coded cryptographic key that could expose internet-accessible servers to remote code execution attacks.
It has been addressed in CentreStack version 16.4.10315.56368 released on April 3, 2025. The vulnerability is said to have been exploited as a zero-day in March 2025, although the exact nature of the attacks is unknown.
Now, according to Huntress, the weakness also affects Gladinet Triofox up to version 16.4.10317.56372.
“By default, previous versions of the Triofox software have the same hardcoded cryptographic keys in their configuration file, and can be easily abused for remote code execution,” John Hammond, principal cybersecurity researcher at Huntress, said in a report.
Telemetry data gathered from its partner base has revealed that the CentreStack software is installed on about 120 endpoints and that seven unique organizations were affected by the exploitation of the vulnerability.
The earliest sign of compromise dates back to April 11, 2025, 16:59:44 UTC. The attackers have been observed leveraging the flaw to download and sideload a DLL using an encoded PowerShell script, an approach seen in recent attacks using the CrushFTP flaw, followed by conducting lateral movement and installing MeshCentral for remote access.
Huntress also said the attackers have been identified as running Impacket PowerShell commands to perform various enumeration commands and install MeshAgent. That said, the exact scale and the end goal of the campaigns are currently unknown.
In light of active exploitation, it’s essential that users of Gladinet CentreStack and Triofox update their instances to the latest version to safeguard against potential risks.
