Summary of the incident
Huntress discovered exploitation of an unauthenticated local file inclusion vulnerability that allowed a threat actor to retrieve the machine key from the application web.config file to perform remote code execution via the aforementioned ViewState deserialization vulnerability.
How to tell if you are impacted
Until this is patched, we believe every version is vulnerable. Current version 16.7.10368.56560
We’ve patched since the last CVE, am I still vulnerable?
Yes, this new vulnerability was discovered on a patch that was later than 16.4.10315.56368, which was no longer vulnerable to CVE-2025-30406.
Recommended Mitigation/Next Steps
We recommend disabling the temp handler within the web.config file for UploadDownloadProxy located at:
C:\Program Files (x86)\Gladinet Cloud Enterprise\UploadDownloadProxy\Web.config
This will impact some functionality of the platform, however it will ensure this cannot be exploited until this vulnerability is patched.
By removing the line highlighted above this will mitigate the vulnerability present until such time as a patch can be applied.
If you have any trouble with the steps in this FAQ, please reach out to Gladinet.