Gladinet CentreStack/Triofox ASP.NET ViewState Deserialization
Description
A vulnerability in Gladinet CentreStack and Triofox application using hardcoded cryptographic keys for ViewState could allow an attacker to forge ViewState data. This can lead to unauthorized actions such as remote code execution. Both applications make use of a hardcoded machineKey in the IIS web.config file, which is responsible for securing ASP.NET ViewState data. If an attacker obtains the machineKey, they can forge ViewState payloads that pass integrity checks. This can result in ViewState deserialization attacks, potentially leading to remote code execution (RCE) on the web server. Gladinet CentreStack versions up to 16.4.10315.56368 are vulnerable (fixed in 16.4.10315.56368). Gladinet Triofox versions up to 16.4.10317.56372 are vulnerable (fixed in 16.4.10317.56372). NOTE: There are other rebranded services that might be vulnerable and can be detected by this module.
Author(s)
- Huntress Team
- H00die Gr3y
Platform
Windows
Development
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/windows/http/gladinet_viewstate_deserialization_cve_2025_30406
msf exploit(gladinet_viewstate_deserialization_cve_2025_30406) > show targets
...targets...
msf exploit(gladinet_viewstate_deserialization_cve_2025_30406) > set TARGET < target-id >
msf exploit(gladinet_viewstate_deserialization_cve_2025_30406) > show options
...show and set options...
msf exploit(gladinet_viewstate_deserialization_cve_2025_30406) > exploit
- Collect and share all the information you need to conduct a successful and efficient penetration test
- Simulate complex attacks against your systems and users
- Test your defenses to make sure they’re ready
- Automate Every Step of Your Penetration Test
Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.
– Jim O’Gorman | President, Offensive Security