The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has sounded the alarm on two actively exploited vulnerabilities—one in Gladinet CentreStack and the other in Microsoft Windows. These zero-day threats have now been added to the agency’s Known Exploited Vulnerabilities (KEV) catalog, signaling the need for immediate patching.
CentreStack Flaw Exposes Systems to Remote Code Execution
One of the critical issues, tracked as CVE-2025-30406, carries a severe CVSS score of 9.0. The vulnerability affects Gladinet CentreStack, a cloud server and file-sharing platform commonly used by businesses for remote access and collaboration.
Disclosed on April 3, the flaw has reportedly been under active exploitation since March, although specific details about the attacks remain undisclosed.
According to Gladinet, the issue stems from the platform’s handling of cryptographic keys used in ViewState integrity verification. A hardcoded or poorly protected machineKey in the IIS configuration makes it possible for attackers to forge malicious ViewState data. This enables remote code execution (RCE) if the server is configured in a vulnerable way.
In such cases, attackers can deserialise forged ViewState payloads and take over the system.
To counter the threat, Gladinet released CentreStack version 16.4.10315.56368, which automatically generates a unique machineKey during installation. Organizations using older versions are strongly advised to upgrade immediately or, at minimum, rotate their existing machineKey values to block potential exploits.
Windows CLFS Zero-Day Exploited in Ransomware Campaigns
The second vulnerability, CVE-2025-29824, carries a CVSS score of 7.8 and targets Microsoft’s Common Log File System (CLFS) driver. This use-after-free flaw allows local attackers to gain elevated privileges, a critical step in most ransomware and spyware attacks.
Microsoft patched this issue during its April 2025 Patch Tuesday release and confirmed that it has already been exploited in the wild.
The company linked the flaw to the PipeMagic malware, which has surfaced in ransomware campaigns targeting organizations in the U.S., Venezuela, Spain, and Saudi Arabia. PipeMagic has previously been used to deploy zero-day exploits, escalating local privileges before dropping ransomware payloads.
Mandatory Patch Deadline: April 29 for Federal Agencies
Both vulnerabilities were officially added to the CISA KEV catalog on Tuesday. In accordance with Binding Operational Directive (BOD) 22-01, all federal agencies are required to apply the necessary patches or mitigations by April 29, 2025.
While this directive is mandatory for federal entities, CISA strongly encourages all organizations, regardless of industry, to:
- Review the updated KEV catalog
- Identify systems running vulnerable CentreStack or Windows CLFS drivers
- Deploy patches without delay to prevent exploitation
These threats underscore a growing trend in zero-day vulnerabilities being swiftly leveraged by threat actors in targeted attacks. By staying proactive and applying updates promptly, organizations can significantly reduce their exposure to cyber risk.
