module

Gladinet CentreStack/Triofox ASP.NET ViewState Deserialization

Try Surface Command
Back to search
Disclosed
Apr 3, 2025
Created
May 28, 2025

Description

A vulnerability in Gladinet CentreStack and Triofox application using hardcoded
cryptographic keys for ViewState could allow an attacker to forge ViewState data.
This can lead to unauthorized actions such as remote code execution.
Both applications make use of a hardcoded machineKey in the IIS web.config file,
which is responsible for securing ASP.NET ViewState data. If an attacker obtains
the machineKey, they can forge ViewState payloads that pass integrity checks.
This can result in ViewState deserialization attacks, potentially leading to
remote code execution (RCE) on the web server.

Gladinet CentreStack versions up to 16.4.10315.56368 are vulnerable (fixed in 16.4.10315.56368).
Gladinet Triofox versions up to 16.4.10317.56372 are vulnerable (fixed in 16.4.10317.56372).
NOTE: There are other rebranded services that might be vulnerable and can be detected by this module.

Authors

Huntress Team
H00die Gr3y

Platform

Windows

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':


    msf > use exploit/windows/http/gladinet_viewstate_deserialization_cve_2025_30406
    msf exploit(gladinet_viewstate_deserialization_cve_2025_30406) > show targets
        ...targets...
    msf exploit(gladinet_viewstate_deserialization_cve_2025_30406) > set TARGET < target-id >
    msf exploit(gladinet_viewstate_deserialization_cve_2025_30406) > show options
        ...show and set options...
    msf exploit(gladinet_viewstate_deserialization_cve_2025_30406) > exploit
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today