Researchers have warned that hundreds of vulnerable servers exposed to the Internet are at risk, as the flaw permits remote code execution and full server compromise if left unpatched.

On April 11, 2025, Huntress discovered suspicious activity linked to this vulnerability, indicating that exploitation attempts are ongoing.

A patch addressing this vulnerability was released on April 3, 2025, in version 16.4.10315.56368, which improves key management and mitigates exposure.

In response to the threat, Huntress has developed detection tools and Sigma rules to help identify and mitigate the vulnerability, urging partners to apply the patch immediately.

Huntress has reported a critical vulnerability, identified as CVE-2025-30406, that is currently being actively exploited in the wild, affecting Gladinet CentreStack and Triofox software.

Attackers are exploiting this vulnerability by leveraging the ASPX ViewState mechanism, which can be manipulated due to these hardcoded keys, making it a well-researched attack vector.

In March 2025, the vulnerability was exploited in attacks that compromised at least seven organizations and affected around 120 endpoints.

Recognizing its significance, CISA added CVE-2025-30406 to its Known Exploited Vulnerabilities catalog on April 8, 2025.

This vulnerability, which has a CVSS score of 9.0, is a deserialization issue stemming from hardcoded machineKey values in the IIS web.config file.

The exploitation of this vulnerability allows attackers to execute remote code as IISAPPPOOL\portaluser, with the potential for privilege escalation to SYSTEM.