Description
A vulnerability in Gladinet CentreStack and Triofox application using hardcoded cryptographic keys for ViewState could allow an attacker to forge ViewState data. This can lead to unauthorized actions such as remote code execution. Both applications make use of a hardcoded machineKey in the IIS web.config file, which is responsible for securing ASP.NET ViewState data. If an attacker obtains the machineKey, they can forge ViewState payloads that pass integrity checks. This can result in ViewState deserialization attacks, potentially leading to remote code execution (RCE) on the web server.
Gladinet CentreStack versions up to 16.4.10315.56368 are vulnerable (fixed in 16.4.10315.56368). Gladinet Triofox versions up to 16.4.10317.56372 are vulnerable (fixed in 16.4.10317.56372). NOTE: There are other rebranded services that might be vulnerable and can be detected by this module.
Module options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/windows/http/gladinet_viewstate_deserialization_cve_2025_30406msf undefined(gladinet_viewstate_deserialization_cve_2025_30406) > show actions ...actions...msf undefined(gladinet_viewstate_deserialization_cve_2025_30406) > set ACTION < action-name >msf undefined(gladinet_viewstate_deserialization_cve_2025_30406) > show options ...show and set options...msf undefined(gladinet_viewstate_deserialization_cve_2025_30406) > runPrioritise with Active Threat Intelligence
With curated Threat Intelligence, you can see which vulnerabilities truly put you at risk, prioritize what matters most, and act before attackers do.
Explore Intelligence Hub