CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence they are being actively exploited.
The first, CVE-2025-30406, is a Gladinet CentreStack Use of Hard-coded Cryptographic Key Vulnerability
The second, CVE-2025-29824, is a Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free Vulnerability
Both of these types of vulnerabilities are common attack vectors for threat actors and put federal enterprises at significant risk
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to federal enterprises.
It requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all entities to limit their exposure to cyberattacks by ensuring timely remediation of Catalog vulnerabilities as part of their vulnerability management practices.
A Chain Reaction of Compromises
“When a vulnerability like CVE-2025-30406 is weaponized against an MSP, the consequences can cascade across that MSP’s entire client base,” says Dr Süleyman Özarslan, co-founder of Picus Security and VP of Picus Labs.
In a worst-case scenario, a single successful exploit leads to a chain reaction of compromises, Özarslan adds. “An attacker who achieves RCE on an MSP’s CentreStack server could, for instance, access sensitive files for multiple end-customer companies at once, steal data in bulk or deploy ransomware across all tenant shares simultaneously. The Gladinet CentreStack platform is explicitly designed for multi-tenancy (allowing one MSP deployment to serve many clients), which means an RCE exploit jeopardizes every tenant hosted on that instance. Thus, what begins as one server breach can quickly escalate into a multi-organization data breach or outage.”
Entities affected by the CentreStack breach are experiencing the following in real time, he adds. “But all MSPs and MSSPs should review their security strategy to ensure it accounts for the unique position they are in as service providers.”
One Exploit, Many Targets
He says vulnerabilities in MSP/MSSP tools can give bad actors a foothold into every client network managed by that provider, turning a single exploit into a multiplied attack across dozens of companies, which makes them especially attractive targets for attackers looking for maximum impact.
In addition, because MSPs/MSSPs hold the “keys to the kingdom” for multiple organizations (admin credentials, sensitive data, trusted access), Özarslan says they must maintain higher-than-average security standards.
“The fallout from an MSP/MSSP compromise can include data breaches, widespread ransomware infections and service outages affecting many businesses at once. This cascading effect amplifies financial and reputational damage – for both the provider and its clients – compared to an isolated incident,” he explains.
Rapid Patching and Response
Özarslan says when a critical vulnerability is revealed (particularly one already exploited in the wild), MSPs should treat it as an emergency. “Apply patches or workarounds immediately and consider temporarily isolating or shutting down affected services until fixed. Swift action can prevent attackers from leveraging the flaw while you’re exposed.”
MSPs and MSSPs should also promptly inform their customers about such vulnerabilities and the steps being taken to remediate them, he ends. “Transparency and quick mitigation help maintain client trust. In contrast, if clients discover an MSP failed to patch a known issue like CVE-2025-30406 and it led to an incident, trust can be severely undermined, with potential legal and business consequences.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.