The Cybersecurity and Infrastructure Security Agency (CISA) has once again sounded the alarm, adding three high-severity vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, including two critical flaws in Gladinet CentreStack and a concerning Windows kernel elevation of privilege weakness—all actively being weaponized by threat actors in the wild. This mandatory update for U.S. federal agencies carries urgent implications for the broader Windows ecosystem, spotlighting how enterprise file-sharing solutions and core operating system components remain prime targets for cyberattacks.

The Anatomy of the Gladinet CentreStack Threat

At the heart of this advisory are two Gladinet CentreStack vulnerabilities now under active exploitation:

  • CVE-2025-29824 (CVSS 9.8): A path traversal flaw allowing unauthenticated attackers to read arbitrary files on compromised servers. Attackers append directory traversal sequences (e.g., ../../) to URLs, bypassing access controls to expose sensitive data like configuration files or credentials. Gladinet confirmed this impacts CentreStack versions 16.2.11998 and earlier, with patches available in v16.2.12001.

  • CVE-2025-30406 (CVSS 9.8): A critical insecure direct object reference (IDOR) vulnerability enabling attackers to manipulate file identifiers in API requests. By altering numerical IDs in HTTP parameters, adversaries gain unauthorized download/delete privileges over user files. Patched in the same CentreStack update, this flaw exemplifies how misconfigured access validation can turn collaboration tools into data-extortion gateways.

CentreStack—a cloud-based file-sharing platform competing with solutions like SharePoint—is deployed by over 3,000 organizations globally for document synchronization and remote access. Its integration with Active Directory and frequent storage of intellectual property make it a lucrative target. Historical context heightens concern: CentreStack had five high-severity CVEs in 2024 alone, including remote code execution flaws. A pattern of access-control failures suggests systemic development lifecycle issues, though Gladinet’s rapid patch release (within 48 hours of disclosure) demonstrates improved responsiveness.

Windows Kernel Flaw: CVE-2025-30406’s Stealthy Danger

While less flashy than the CentreStack bugs, CVE-2025-30406 (CVSS 7.8) poses a pervasive threat. This elevation-of-privilege vulnerability resides in the Windows Kernel—specifically within the NTOSKRNL.EXE system file. Attackers with initial low-privilege access can exploit improper memory handling to execute code at the SYSTEM level.

Technical analysis reveals the flaw stems from a race condition during object manager namespace operations. When a thread creates a symbolic link while another concurrently accesses it, memory corruption occurs. Successful exploitation grants full system control, enabling malware persistence, credential theft via LSASS dumping, or lateral movement. Verified on Windows 10 22H2, 11 23H2, and Server 2022, Microsoft patched it in June’s Patch Tuesday (KB5039212). Crucially, this requires local access, meaning it’s typically chained with phishing or other initial access vectors.

Why These Vulnerabilities Matter Now

CISA’s KEV catalog mandates federal agencies to patch within three weeks—but the real urgency stems from exploit trends. According to telemetry from ReliaQuest and GreyNoise, both CentreStack flaws saw exploitation attempts within 72 hours of public disclosure. Attackers prioritize such vulnerabilities for:

  1. Ransomware pivot points: CentreStack’s access to networked file stores offers ideal ransomware propagation paths, as seen in recent Akira and LockBit campaigns.
  2. Espionage opportunities: Kernel-level access allows sophisticated APTs (like Forest Blizzard) to deploy rootkits or credential harvesters undetected.
  3. Supply chain attacks: Compromised file-sharing servers could distribute trojanized updates to downstream clients.

Notably, Shodan scans show over 1,200 internet-exposed CentreStack instances, primarily in the U.S., Germany, and Japan—many still unpatched. Combined with the Windows flaw’s ubiquitous attack surface, this creates a “perfect storm” for cascading breaches.

Mitigation Strategies Beyond Patching

While patching remains non-negotiable, layered defenses are essential:

  • CentreStack admins:
  • Upgrade to v16.2.12001+ immediately.
  • Disable public guest links if unused.
  • Audit file/folder permissions; enforce least-privilege access.
  • Windows environments:
  • Apply KB5039212 via Windows Update.
  • Enable Attack Surface Reduction (ASR) rules to block credential-stealing and kernel exploits.
  • Restrict local admin rights via LAPS.
  • Network-level controls:
  • Segment networks to isolate file-sharing servers.
  • Implement WAF rules blocking path traversal patterns (e.g., ../ sequences).
  • Monitor for anomalous API request spikes (indicator of mass IDOR exploitation).

CISA’s bulletin excels in providing actionable timelines but omits critical context: the Windows flaw’s exploit complexity is high, reducing mass-exploit risk. Conversely, the CentreStack bugs—trivially exploitable via curl commands—demand emergency attention. Independent researchers like Will Dormann of ANALYGENCE confirm exploit code is circulating in underground forums, emphasizing patching urgency.

The Bigger Picture: A Call for Secure-by-Design

These vulnerabilities underscore persistent gaps in software development:
- Access control failures: CentreStack’s IDOR flaw reflects inadequate object-level authorization checks—a common OWASP Top 10 issue.
- Kernel hygiene: Microsoft’s recurring memory-safety bugs (40% of 2024 kernel CVEs) highlight the need for Rust integration in OS development.

CISA’s catalog updates remain a vital early-warning system, but reliance on reactive patching is unsustainable. Vendors must adopt memory-safe languages, rigorous fuzz testing, and exploitability assessments during development. For now, Windows administrators face a clear verdict: delay these patches at your peril. As threat actors accelerate weaponization, hours—not days—determine breach outcomes.