Seven organizations have already been compromised in intrusions exploiting the critical zero-day deserialization flaw impacting the Gladinet CentreStack enterprise file-sharing platform and Triofox on-premises file-sharing server, tracked as CVE-2025-30406, reports Cybersecurity Dive.
All attacks involving the flaw, which arose from a default hardcoded key in CentreStack's configuration files, have been aimed at CentreStack instances, according to Huntress researchers, who noted the issue to be present across 120 endpoints. Further analysis also showed subsequent delivery of the open-source remote management tool MeshCentral for lateral movement across targeted environments. "Based on our telemetry, the observed exploitation activity is not likely to be driven by a single actor or group, nor does it appear to be specifically targeting managed service providers (MSPs). Instead, the behavior suggests attacks of opportunity," said Huntress principal security researcher John Hammond. Such a development comes after the security bug was added by the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog last week.
All attacks involving the flaw, which arose from a default hardcoded key in CentreStack's configuration files, have been aimed at CentreStack instances, according to Huntress researchers, who noted the issue to be present across 120 endpoints. Further analysis also showed subsequent delivery of the open-source remote management tool MeshCentral for lateral movement across targeted environments. "Based on our telemetry, the observed exploitation activity is not likely to be driven by a single actor or group, nor does it appear to be specifically targeting managed service providers (MSPs). Instead, the behavior suggests attacks of opportunity," said Huntress principal security researcher John Hammond. Such a development comes after the security bug was added by the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog last week.
