A critical security vulnerability, tracked as CVE-2025-30406, has been disclosed in Gladinet’s CentreStack and Triofox file-sharing platforms. According to reports, this flaw arises from the presence of hardcoded administrative credentials embedded in default software builds. Attackers can use these credentials to gain unauthorized access to vulnerable systems. The Cybersecurity and Infrastructure Security Agency (CISA) has also issued a warning about the issue, emphasizing that the vulnerability is being actively exploited in the wild, putting both cloud-hosted and on-premise deployments at immediate risk. Continue reading this Cybersecurity Threat Advisory to learn how you can mitigate your risk.
What is the threat?
CVE-2025-30406 is a critical authentication bypass vulnerability in Gladinet’s CentreStack and Triofox platforms, used for secure file sharing and remote access. The flaw stems from static, hardcoded administrative credentials embedded in the backend, which are identical across all installations. Attackers can gain full admin access by simply logging into the interface using these credentials, with no user interaction or exploit chain required.
Once authenticated, attackers can exfiltrate data, access or modify configuration settings, retrieve stored credentials, disable auditing, and maintain persistence by creating new admin accounts. They may also use the access to deploy ransomware or move laterally across networks. The threat is amplified by widespread internet exposure of these systems and confirmed in-the-wild exploitation, making this a high-priority risk.
Why is it noteworthy?
This vulnerability reveals a significant and uncommon design flaw involving hardcoded, unchangeable credentials present in production software. The ease of exploitation, coupled with the availability of public exploit scripts, makes this issue accessible to a broad spectrum of attackers. This situation underscores the persistent risks linked to inadequate credential management, especially in software designed to protect sensitive data.
What is the exposure or risk?
Organizations using affected versions of CentreStack or Triofox—especially those with public-facing deployments—face a high risk of full platform compromise. Bad actors can access sensitive files, disable security features, bypass multi-factor authentication (MFA), and escalate attacks to cloud or internal systems. In cloud environments, this may lead to data breaches; in on-premise deployments, it increases the likelihood of ransomware and persistent threats. The vulnerability’s low complexity, high impact, and active exploitation make it one of the most dangerous file management flaws of the year.
What are the recommendations?
Barracuda strongly recommends that organizations take these additional steps to secure their environment:
- Upgrade all vulnerable CentreStack and Triofox instances to the latest version as soon as possible.
- Review all existing administrator accounts within the platform for unauthorized additions or changes. Remove any unknown or unrecognized accounts.
- Restrict public access to affected systems using firewalls, VPNs, or network segmentation, if patching is not immediately feasible.
- Enforce MFA where possible, especially for admin interfaces, and ensure no default credentials are in use elsewhere.
References
For more in-depth information about the threat, please visit the following links:
- https://nvd.nist.gov/vuln/detail/CVE-2025-30406
- https://thehackernews.com/2025/04/gladinets-triofox-and-centrestack-under.html
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
