U.S. CISA adds Gladinet CentreStack and ZTA Microsoft Windows CLFS Driver flaws to its Known Exploited Vulnerabilities catalog
U.S. CISA adds Gladinet CentreStack and ZTA Microsoft Windows Common Log File System (CLFS) Driver flaws to its Known Exploited Vulnerabilities catalog
April 09, 2025
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Gladinet CentreStack and ZTA Microsoft Windows Common Log File System (CLFS) Driver flaws to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Gladinet CentreStack and ZTA Microsoft Windows Common Log File System (CLFS) Driver flaws, respectively tracked as CVE-2025-30406 and CVE-2025-29824, to its Known Exploited Vulnerabilities (KEV) catalog.
The vulnerability CVE-2025-30406 (CVSS score 9.0) is a deserialization issue due to the CentreStack portal’s hardcoded machineKey use. Threat actors exploited the flaw in March attacks.
The vulnerability has been addressed in version 16.4.10315.56368 released on April 3, 2025.
“The application uses a hardcoded or improperly protected machineKey in the IIS web.config file, which is responsible for securing ASP.NET ViewState data. If an attacker obtains or predicts the machineKey, they can forge ViewState payloads that pass integrity checks. In some scenarios, this can result in ViewState deserialization attacks, potentially leading to remote code execution (RCE) on the web server. Exploitation has been observed in the wild.” reads the advisory. “We strongly recommend updating to the patched version, which improves key management and mitigates exposure. For customers who cannot update immediately, rotating the machineKey values is a recommended interim mitigation.”
The vulnerability CVE-2025-29824, (CVSS score of 7.8) is a Use after free in Windows Common Log File System Driver that allows an authorized attacker to elevate privileges locally. An attacker who successfully exploited this flaw could gain SYSTEM privileges, Microsoft confirmed that the vulnerability has been exploited in attacks in the wild.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix this vulnerability by April 29, 2025.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, CISA)
