CentreStack 0-Day Flaw Enables Remote Code Execution on Web Servers

A critical security flaw, tracked as CVE-2025-30406, has been identified in ASP.NET applications that improperly manage cryptographic keys for ViewState integrity checks.

This vulnerability allows attackers to forge ViewState data, potentially leading to unauthorized actions or remote code execution (RCE) on affected web servers.

Immediate remediation is urged, as exploitation has already been observed in active attacks.

Technical Overview of CVE-2025-30406

The vulnerability stems from the use of hardcoded or inadequately protected machineKey values in the IIS web.config file.

These keys are responsible for securing ASP.NET ViewState data—a mechanism used to maintain page state across HTTP requests.

If an attacker obtains or predicts the machineKey, they can bypass integrity checks and craft malicious ViewState payloads.

In configurations where deserialization is enabled, this could lead to RCE by exploiting insecure deserialization processes.

Impact and Exploitation

Successful exploitation enables:

• Unauthorized modification of server-side ViewState data.
• Execution of arbitrary code on the web server (in configurations allowing deserialization).
• Compromise of clustered environments if keys are shared across nodes.

Remediation Steps

1. Apply the Patched Version (Build 16.4.10315.56368)
Download the updated installer from Gladinet Cloud Enterprise. The patch automatically generates a unique machineKey during installation, eliminating reliance on default or static keys.

2. Manual Mitigation for Immediate Risk Reduction
For systems unable to update immediately, rotate machineKey values manually:

• Single Server:
  • Navigate to C:Program Files (x86)Gladinet Cloud Enterpriseroot and back up web.config.
  • In IIS Manager, generate new keys via Sites → Default Web Site → Machine Key → Generate Keys.
  • Remove existing machineKey entries from portalweb.config and restart IIS.

• Server Farms:
  • Generate a new machineKey on the primary node and replicate it across all worker nodes.
  • Ensure portalweb.config on all nodes does not contain legacy machineKey configurations.

3. Additional Hardening Recommendations
Refer to the KB Article for guidelines on securing CentreStack clusters, including network isolation and periodic key rotation.

Urgency of Response

Organizations using ASP.NET applications, particularly those with CentreStack deployments, must prioritize patching or key rotation.

The combination of active exploitation and the potential for RCE elevates this vulnerability to critical severity.

System administrators are advised to validate configurations and monitor for anomalous activity.

For further details on secure deserialization practices and ViewState hardening, consult Microsoft’s ASP.NET documentation and the CentreStack security advisory.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates

The post CentreStack 0-Day Flaw Enables Remote Code Execution on Web Servers appeared first on Cyber Security News.