Critical Vulnerabilities: CISA Alerts to Windows CLFS and Gladinet CentreStack Threats
Ddos 
Recently, the Cybersecurity and Infrastructure Security Agency (CISA) added two significant vulnerabilities to its Known Exploited Vulnerabilities Catalog, highlighting the urgency for users to apply necessary patches.
Windows CLFS Driver Under Attack by RansomEXX
One of the most pressing concerns is a high-severity zero-day flaw in the Microsoft Windows Common Log File System (CLFS) Driver, tracked as CVE-2025-29824. Microsoft has confirmed that the RansomEXX ransomware gang is actively exploiting this vulnerability to gain SYSTEM privileges on compromised systems.
The vulnerability is classified as a use-after-free weakness, allowing local attackers with low privileges to escalate to SYSTEM privileges in attacks that require minimal complexity and no user interaction. While Microsoft released patches for some Windows versions, patches for Windows 10 x64 and 32-bit systems were delayed.
Microsoft has revealed that the attacks have targeted organizations across various sectors, including IT, real estate in the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia. It’s crucial to note that Windows 11, version 24H2, is not affected by this specific exploitation.
The attack chain involves the RansomEXX group (tracked by Microsoft as Storm-2460) installing the PipeMagic backdoor malware, which is then used to deploy the CVE-2025-29824 exploit, ransomware payloads, and ransom notes after encrypting files.
Gladinet CentreStack’s Cryptographic Key Vulnerability
The second vulnerability added to CISA’s catalog is CVE-2025-30406, affecting Gladinet CentreStack. This vulnerability stems from the application’s use of a hard-coded or improperly protected machine Key for ViewState integrity verification.
Attackers who obtain or predict this machine Key can forge ViewState data, potentially leading to unauthorized actions and, in some configurations, remote code execution (RCE) on the web server through ViewState deserialization attacks. Exploitation of this vulnerability has been observed in the wild.
Mitigation and Remediation
Given the active exploitation of these vulnerabilities, CISA is urging users to apply the necessary patches by April 29, 2025.
For the Gladinet CentreStack vulnerability (CVE-2025-30406), the recommended solution is to update to the patched version (build 16.4.10315.56368), which automatically generates a unique machineKey for each installation. If an immediate update is not feasible, rotating the machine Key values is a recommended interim mitigation. Detailed instructions for generating a unique machine Key are available in the provided KB article.
Steps to Manually Generate and Apply a New Machine Key for Gladinet CentreStack:
- Go to the CentreStack installation folder: C:\Program Files (x86)\Gladinet Cloud Enterprise\root.
- Backup the web.config file.
- Open Internet Information Services (IIS) Manager.
- Select Sites -> Default Web Site.
- In the ASP.NET section, double-click Machine Key.
- Click “Generate Keys” and then “Apply”.
- Backup the web.config file in the portal folder: C:\Program Files (x86)\Gladinet Cloud Enterprise\portal.
- Edit the portal\web.config file and remove the line starting with ‘<machineKey decryption’. Save the file.
- Restart IIS (for single CentreStack servers).
- For server farms, generate a new machine key on the first node and copy it to the root\web.config file of other nodes.
- On other nodes, backup and then edit the root\web.config file to use the same machinekey as the first node.
- Check and delete the machineKey configuration in the portal\web.config file on all other nodes.
- Restart IIS on the nodes.
Related Posts:
💙 Support SecurityOnline.info
If this article helped you stay informed, please consider supporting us below.
PayPal