A recently disclosed security flaw in Gladinet CentreStack also impacts its Triofox remote access and collaboration solution, according to Huntress, with seven different organizations compromised to date.
Tracked as CVE-2025-30406 (CVSS score: 9.0), the vulnerability refers to the use of a hard-coded cryptographic key that could expose internet-accessible servers to remote code execution attacks.
It has been addressed in CentreStack version 16.4.10315.56368 released on April 3, 2025. The vulnerability is said to have been exploited as a zero-day in March 2025, although the exact nature of the attacks is unknown.
Now, according to Huntress, the weakness also affects Gladinet Triofox up to version 16.4.10317.56372.
"By default, previous versions of the Triofox software have the same hardcoded cryptographic keys in their configuration file, and can be easily abused for remote code execution," John Hammond, principal cybersecurity researcher at Huntress, said in a report.
Telemetry data gathered from its partner base has revealed that the CentreStack software is installed on about 120 endpoints and that seven unique organizations were affected by the exploitation of the vulnerability.
The earliest sign of compromise dates back to April 11, 2025, 16:59:44 UTC. The attackers have been observed leveraging the flaw to download and sideload a DLL using an encoded PowerShell script, an approach seen in recent attacks using the CrushFTP flaw, followed by conducting lateral movement and installing MeshCentral for remote access.
Hammond told The Hacker News that "we are unable to verify" if the activity related to exploitation in March was within the same clusters of activity discovered against customer environments in April.
"As the CentreStack software is designed for Managed Service Providers, exploitation has been found in both Managed Service Providers environments and their customer base," Hammond added. "We have seen no exploitation of Triofox as of now."
Huntress also said the attackers have been identified as running Impacket PowerShell commands to perform various enumeration commands and install MeshAgent. That said, the exact scale and the end goal of the campaigns are currently unknown.
"Although we are not able to determine the specific end goals of the threat actors, we believe all activity observed within Huntress-protected environments as of this time is primarily financially motivated," Hammond said. "This is not to suggest that state-aligned threat actors have not previously exploited – or will not exploit – this vulnerability in the near future."
In light of active exploitation, it's essential that users of Gladinet CentreStack and Triofox update their instances to the latest version to safeguard against potential risks.
(The story was updated after publication to include additional insights from Huntress.)
