CyberWire Daily Triofox and the key to disaster. [Research Saturday]
5 snips
May 31, 2025 John Hammond, Principal Security Researcher at Huntress, dives deep into the critical CVE-2025-30406 vulnerability affecting Gladinet CentreStack and Triofox. He shares alarming findings about how this vulnerability allows remote code execution via hardcoded keys, with hundreds of servers already compromised. John discusses the importance of endpoint security, the risks of deserialization, and proactive measures organizations can take to protect themselves. His insights underscore the urgent need for patching and security awareness among system administrators.
AI Snips
Chapters
Transcript
Episode notes
Pre-auth Remote Code Execution Vulnerability
- CVE-2025-30406 is a pre-authentication deserialization vulnerability allowing remote code execution without credentials.
- Attackers only need the IP or domain to target exposed Gladinet CentreStack and TrioFox servers.
View State Deserialization Exploited
- The vulnerability exploits view state deserialization in ASP.net web applications.
- View state handles session data and if manipulated, can be exploited for code execution.
Hardcoded Cryptographic Keys Risk
- Servers used hardcoded cryptographic keys in default configs, making secrets universal and exploitable.
- Since keys were identical across installations, attackers can decrypt and manipulate view state easily.