At first, the engineers assumed this was linked to a earlier zero-day in the identical software program that the corporate publicized in April, a ViewState deserialization vulnerability permitting distant code execution (RCE), tracked as CVE-2025-30406.
Nonetheless, engineers found that the focused buyer was operating a model of CentreStack patched in opposition to that vulnerability. Additional evaluation revealed that the newest detection was a very new vulnerability that had been used in opposition to three of Huntress’s clients.
Story of two flaws
The underlying downside revealed by April’s CVE-2025-30406 was that CentreStack and Triofox relied on a hardcoded machineKey. A prerequisite for exploiting this flaw was that the attackers needed to uncover this machineKey, made simpler as a result of each set up used the identical one.
