Skip to main content
Mallory
Back to vulnerabilities
HighCISA KEVExploited in the wildPublic exploit

Unauthenticated LFI in Gladinet CentreStack and Triofox via Hardcoded AES Cryptographic Values

IdentifiersCVE-2025-14611CWE-321

CVE-2025-14611 affects Gladinet CentreStack and Triofox versions prior to 16.12.10420.56791. The vulnerability is caused by hardcoded values in the products’ AES cryptosystem implementation, described in the supporting content as fixed cryptographic keys and initialization vectors embedded across vulnerable installations. Because these values are not unique per deployment, attackers can recover or rely on the known cryptographic material to decrypt or forge protected access tickets. In exposed deployments, a specially crafted unauthenticated request to affected endpoints can bypass intended protections and trigger arbitrary local file inclusion (LFI), including retrieval of sensitive files such as web.config. The weakness degrades the security of publicly exposed endpoints and can be chained with other Gladinet vulnerabilities for broader compromise.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an unauthenticated remote attacker to read arbitrary local files accessible to the application, including sensitive configuration files. Exposure of files such as web.config can disclose machine keys, cryptographic material, credentials, API keys, and other secrets. The supporting content indicates attackers have used this flaw in the wild and chained it with other Gladinet vulnerabilities to achieve authentication bypass, ViewState abuse, remote code execution, persistent unauthorized access, data theft, and ultimately full system compromise. Publicly exposed CentreStack and Triofox instances are at particular risk.

Mitigation

If you can’t patch tonight, do this now.

Until patching is completed, restrict or remove public internet exposure of CentreStack and Triofox portals and vulnerable endpoints, and limit access to trusted users and IP ranges. Use network segmentation and least-privilege configuration for the IIS application pool identity to reduce blast radius. Monitor for suspicious unauthenticated requests to affected endpoints such as /storage/filesvr.dn and attempts to access configuration files, including requests containing the indicator string vghpI7EToZUDIZDdprSubL3mTZ2 associated with web.config access. Blocking known malicious source IPs may help tactically, but patching and key rotation are the primary mitigations.

Remediation

Patch, then assume compromise.

Upgrade Gladinet CentreStack and Triofox to version 16.12.10420.56791 or later. Because exploitation may expose sensitive configuration data and cryptographic material, organizations should also rotate the machine key in web.config after patching, which invalidates malicious ViewState payloads generated using previously exposed keys. If compromise is suspected, rotate any credentials, API keys, or other secrets stored in or derivable from exposed configuration files, review IIS and application logs for exploitation activity, and investigate affected hosts for persistence or follow-on activity.
PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 1 / 1 TOTALView more in app
CVE-2025-14611-CentreStack-and-Triofox-full-Poc-ExploitMaturityPoCVerified exploit

This repository provides a full proof-of-concept exploit for CVE-2025-14611, a critical vulnerability in Gladinet CentreStack and Triofox (all versions prior to 16.12.10420.56791) on Windows. The vulnerability is due to hardcoded AES-256 keys in the application binary, allowing attackers to forge access tickets and read arbitrary files from the server via the /storage/filesvr.dn HTTP endpoint. The exploit consists of a single Python script (exploit.py) that can both generate (encrypt) and analyze (decrypt) access tickets. The script constructs a malicious ticket by encrypting the target file path (default: web.config), empty username and password (to trigger authentication bypass), and a far-future timestamp (to bypass expiration checks). The resulting ticket is embedded in a URL, which can be used with curl or a browser to retrieve the file from a vulnerable server. The README.md provides extensive technical details, including reverse engineering findings, cryptographic key extraction, and real-world attack scenarios. The exploit enables attackers to obtain sensitive files (such as web.config with machine keys), which can be further leveraged for remote code execution via ViewState deserialization attacks. The repository is operational and provides all necessary components for successful exploitation.

pl4tyzDisclosed Dec 29, 2025pythonnetwork
EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
GladinetCentrestackapplication
GladinetTriofoxapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

33 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

33 SOURCESView more in app
finra cybersecurity alertsNews
Jan 29, 2026
Cybersecurity Alert - Threat Actors Exploiting Gladinet CentreStack and TrioFox Vulnerabilities | FINRA.org

A critical insecure cryptography vulnerability in Gladinet CentreStack and TrioFox involving hardcoded AES cryptographic values, which can enable arbitrary local file inclusion and be chained toward full system compromise.

Read more
horizon3 blogNews
Dec 19, 2025
Gladinet CentreStack / Triofox Local File Inclusion (LFI) | CISA KEV | Active Exploitation

An unauthenticated local file inclusion (LFI) vulnerability in Gladinet CentreStack and Triofox, caused by hardcoded values in the AES cryptoscheme, allows attackers to include arbitrary local files via specially crafted requests. This affects publicly exposed endpoints and is actively exploited.

Read more
cyber security newsNews
Dec 19, 2025
Clop Ransomware Group Exploiting Gladinet CentreStack Servers to Steal Data

A vulnerability in CentreStack and Triofox where hardcoded cryptographic keys allow attackers to decrypt and forge access tickets, enabling persistent unauthorized access.

Read more
cyberthroneNews
Dec 16, 2025
CISA Adds Gladinet Crypto Flaw and Apple WebKit Zero-Days to KEV Catalog

A critical vulnerability in Gladinet CentreStack and Triofox platforms due to hardcoded cryptographic keys, allowing attackers to decrypt data, bypass integrity checks, and potentially achieve remote code execution when chained with other flaws.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware1

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity24

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-14611
NVD
nvd.nist.gov/vuln/detail/CVE-2025-14611
MITRE CWE · CWE-321
cwe.mitre.org
Third Party Advisory
huntress.com/blog/active-exploitation-gladinet-centrestack-triofox-insecure-cryptography-vulnerability
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-14611