At first, the engineers assumed this was connected to a previous zero-day in the same software that the company publicized in April, a ViewState deserialization vulnerability allowing remote code execution (RCE), tracked as CVE-2025-30406.
However, engineers discovered that the targeted customer was running a version of CentreStack patched against that vulnerability. Further analysis revealed that the latest detection was a completely new vulnerability that had been used against three of Huntress’s customers.
Tale of two flaws
The underlying problem revealed by April’s CVE-2025-30406 was that CentreStack and Triofox relied on a hardcoded machineKey. A prerequisite for exploiting this flaw was that the attackers had to discover this machineKey, made easier because every installation used the same one.
