{"id":2790,"date":"2025-04-17T02:20:38","date_gmt":"2025-04-17T02:20:38","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2790"},"modified":"2025-04-17T02:20:38","modified_gmt":"2025-04-17T02:20:38","slug":"update-these-two-servers-from-gladinet-immediately-cisos-told","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2790","title":{"rendered":"Update these two servers from Gladinet immediately, CISOs told"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>CISOs running Gladinet\u2019s CentreStack file server or Triofox file sharing server should update the applications as soon as possible because of a hard-coded key vulnerability which is being exploited now, say researchers at Huntress.<\/p>\n<p>\u201cImmediate action is essential.\u201d John Hammond, principal security researcher at Huntress, said in an email to CSO.<\/p>\n<p>\u201cIf left unpatched, it opens the door to data breaches and system compromise with minimal effort.\u201d<\/p>\n<p>The vulnerability, CVE-2025-30406, is so bad that it was added to the US Cybersecurity and Infrastructure Security Agency\u2019s Known Exploited Vulnerabilities Catalog on April 8. Since then, Huntress has seen seven organizations compromised through this hole.<\/p>\n<p>According to MITRE, the vulnerability has been exploited since March.<\/p>\n<p><a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2025-30406\">CVE-2025-30406<\/a> ranks as a critical severity vulnerability, Hammond added. \u201cSimply, the server being accessible is the only requirement for it to be exploited. Vulnerable Gladinet CentreStack or Triofox instances are susceptible to this via their own sensitive cryptographic keys, which are hardcoded in the application and unchanged by default. These keys are trivial to obtain, and once an adversary knows what the values are, it is \u2018point and shoot\u2019 open season for exposed servers.\u201d<\/p>\n<p>\u201cThere are a few hundred vulnerable servers exposed to the public internet, according to Shodan,\u201d <a href=\"https:\/\/www.huntress.com\/blog\/cve-2025-30406-critical-gladinet-centrestack-triofox-vulnerability-exploited-in-the-wild\">Hammond wrote in a blog earlier this week.<\/a> \u201cWhile this may be a relatively small number, the risk of immediate compromise is still severe.\u201d\u00a0<\/p>\n<p>The bulk of those servers are in the US and Canada.<\/p>\n<p>Vulnerable are Gladinet CentreStack versions up to 16.1.10296.56315; the hole has been fixed in version 16.4.10315.56368. All versions of Triofox below 16.4.10317.56372 are vulnerable. And, said the blog, \u201cIf a Gladinet CentreStack or Triofox server is exposed to the internet with these hardcoded keys, it is in immediate danger and needs to be patched or have the machineKey values changed as soon as possible.\u201d<\/p>\n<p>According to Hammond, the CentreStack web portal is an ASPX application and uses the typical web.config file in this installation path: <em>C:Program Files (x86)Gladinet Cloud Enterpriserootweb.config,<\/em> although it has also been seen in this path as well: <em>C:Program Files (x86)Gladinet Cloud Enterpriseportalweb.config<\/em>. <\/p>\n<p>Similarly, Triofox web.config files could be in two locations: <em>C:Program Files (x86)Triofoxrootweb.config<\/em> and <em>C:Program Files (x86)Triofoxportalweb.config<\/em>.<\/p>\n<p>The weakness can be leveraged to abuse the ASPX ViewState, a mechanism used to preserve the state of a web page and its controls between multiple HTTP requests, says the <a href=\"https:\/\/www.csoonline.com\/?utm_campaign=5823006-CY25-Prospect_Newsletter&amp;utm_medium=email&amp;_hsenc=p2ANqtz-_hNhhi29paGBMNvI4-txf6Gmah7QXmXZI-OvKNsH9tCyibMPHBIVn-1qKAyFj-wJEAxY-X0RqsujHnFqqS_fMmO9H13RE7PbMc0DoVy15M_gYefaQ&amp;_hsmi=356842527&amp;utm_content=356811907&amp;utm_source=hs_email\">Huntress blog<\/a>. The hardcoded keys open the door for a very standard and well-researched attack technique with ViewState deserialization.<\/p>\n<p>\u201cTo be clear,\u201d the blog added, \u201cthere may be two web.config files (one in root and one in portal directories) as this is a very common setup in ASP.NET applications. There is a root web app, and nested sub-applications.\u201d<\/p>\n<p>To patch or mitigate the risk, says Huntress, \u201cif both <em>web.config<\/em> files are present, both must have updated machineKey values, or the <em>portalweb.config machineKey<\/em> can be removed. The official Gladinet updates the rootweb.config file but removes the machineKey entry from portalweb.config. \u201cThis is a very important nuance because all configuration files must make sure they do not use the default hardcoded key value in order to be fully protected,\u201d said the blog.<\/p>\n<p>Gladinet\u2019s security advisories for <a href=\"https:\/\/gladinetsupport.s3.us-east-1.amazonaws.com\/gladinet\/securityadvisory-cve-2005.pdf\">CentreStack<\/a> and <a href=\"https:\/\/gladinetsupport.s3.us-east-1.amazonaws.com\/gladinet\/securityadvisory-cve-2025-triofox.pdf\">Triofox<\/a> provide further remediation guidance.<\/p>\n<h2 class=\"wp-block-heading\">Hard to defend against attacks<\/h2>\n<p>Roger Grimes, data driven defense analyst at KnowBe4, said in an email that hard-coded credential vulnerabilities are hard to build a defense around unless the vendor can release a fix, although, he added, an IT admin can might be able to remove the device from their network until it is fixed, or block remote access to the impacted device until it is remediated.<\/p>\n<p>\u201cWhat frustrates me is that hard-coded credentials are probably the easiest type of code vulnerability that anyone could think of. It\u2019s very basic and easy to see that it\u2019s wrong and an accident just waiting to happen. Yet I\u2019ve seen a few of them announced in the last week or two.<\/p>\n<h2 class=\"wp-block-heading\">Programmers not properly trained<\/h2>\n<p>How can programmers make this type of basic mistake?<\/p>\n<p>For starters, Grimes said, they aren\u2019t trained <em>not<\/em> to do it. \u201cAlmost no programming curriculum in the world (for example, university, technical school, online, etc.) teaches secure programming,\u201d he said. \u201cAnd if we don\u2019t teach our programmers about common vulnerabilities and how to avoid them, how can we magically expect them\u00a0<em>not\u00a0<\/em>to put them in their code? If you look at how we taught our programmers, you would expect to see the result we are getting today\u2026 which is over 40,200 separate vulnerabilities a year and growing. And the source reason of why we don\u2019t teach programmers to code more securely is that almost no employer asks their programmers to have secure programming skills to get hired. If employers aren\u2019t requiring it, schools aren\u2019t going to teach it.\u201d<\/p>\n<p>\u201cIf you don\u2019t like the sheer number of hard-coded credentials still happening today, just relax,\u201d he added. \u201cThere are, for sure, 1,000 programmers also putting hard-coded credentials into their apps every day and we will only find out about a very small percentage of them over time. The rest will live without being discovered, or it will be discovered that the attacker using them isn\u2019t announcing it to the world anytime soon.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>CISOs running Gladinet\u2019s CentreStack file server or Triofox file sharing server should update the applications as soon as possible because of a hard-coded key vulnerability which is being exploited now, say researchers at Huntress. \u201cImmediate action is essential.\u201d John Hammond, principal security researcher at Huntress, said in an email to CSO. \u201cIf left unpatched, it [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":2791,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2790","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2790"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2790"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2790\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2791"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2790"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2790"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2790"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}