HighCISA KEVExploited in the wildPublic exploit

Unauthenticated LFI in Gladinet CentreStack and Triofox via Hardcoded AES Keys

IdentifiersCVE-2025-14611CWE-321

CVE-2025-14611 affects Gladinet CentreStack and Triofox versions prior to 16.12.10420.56791. The vulnerability is caused by hardcoded values in the products’ AES cryptosystem implementation, including fixed cryptographic material that is identical across vulnerable installations. Because these values are embedded in the application, an unauthenticated attacker can craft requests that bypass the intended protection around access tickets and related encrypted parameters. On publicly exposed endpoints, this weakness can be used to trigger arbitrary local file inclusion without authentication, including retrieval of sensitive files such as web.config. Multiple sources in the provided content also note that attackers may decrypt or forge access tickets using the hardcoded AES values, which degrades the security model of the affected file-sharing portals and enables follow-on exploitation.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows unauthenticated access to arbitrary local files on the underlying server, exposing sensitive configuration data, cryptographic material, credentials, and other secrets. Retrieval of files such as web.config can disclose machine keys and application secrets that enable additional attack paths, including chaining with other Gladinet vulnerabilities for authentication bypass, ViewState abuse, remote code execution, persistence, data theft, and ultimately full system compromise. The vulnerability has been reported as actively exploited in the wild and has been added to CISA’s KEV catalog.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict or remove public exposure of CentreStack and Triofox portal endpoints, limit access to trusted users and source IP ranges, and apply network segmentation to reduce blast radius. Monitor and filter suspicious requests to affected endpoints such as /storage/filesvr.dn and related file-serving paths, and investigate indicators such as requests containing the encrypted string associated with web.config access attempts. Use WAF or equivalent HTTP filtering to block malformed or unexpected requests where feasible. Treat any exposed vulnerable instance as high priority due to confirmed in-the-wild exploitation.

Remediation

Patch, then assume compromise.

Upgrade Gladinet CentreStack and Triofox to version 16.12.10420.56791 or later. Because exploitation may expose sensitive configuration data and cryptographic material, organizations should also rotate affected secrets after patching, including machine keys in web.config and any credentials, API keys, or other secrets that may have been stored in or derived from exposed configuration files. Review IIS and application logs for exploitation attempts, especially suspicious unauthenticated requests to affected storage endpoints and attempts to retrieve web.config or similar files. If compromise is suspected, perform incident response to identify persistence, unauthorized accounts, scheduled tasks, modified application files, and lateral movement.

PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 1 / 1 TOTALView more in app

CVE-2025-14611-CentreStack-and-Triofox-full-Poc-ExploitMaturityPoCVerified exploit

This repository provides a full proof-of-concept exploit for CVE-2025-14611, a critical vulnerability in Gladinet CentreStack and Triofox (all versions prior to 16.12.10420.56791) on Windows. The vulnerability is due to hardcoded AES-256 keys in the application binary, allowing attackers to forge access tickets and read arbitrary files from the server via the /storage/filesvr.dn HTTP endpoint. The exploit consists of a single Python script (exploit.py) that can both generate (encrypt) and analyze (decrypt) access tickets. The script constructs a malicious ticket by encrypting the target file path (default: web.config), empty username and password (to trigger authentication bypass), and a far-future timestamp (to bypass expiration checks). The resulting ticket is embedded in a URL, which can be used with curl or a browser to retrieve the file from a vulnerable server. The README.md provides extensive technical details, including reverse engineering findings, cryptographic key extraction, and real-world attack scenarios. The exploit enables attackers to obtain sensitive files (such as web.config with machine keys), which can be further leveraged for remote code execution via ViewState deserialization attacks. The repository is operational and provides all necessary components for successful exploitation.

pl4tyzDisclosed Dec 29, 2025pythonnetwork

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

GladinetCentrestackapplication

GladinetTriofoxapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

34 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

34 SOURCESView more in app

finra cybersecurity alertsNews

Jan 29, 2026

Cybersecurity Alert - Threat Actors Exploiting Gladinet CentreStack and TrioFox Vulnerabilities | FINRA.org

A critical insecure cryptography vulnerability in Gladinet CentreStack and TrioFox involving hardcoded AES cryptographic values, which can enable arbitrary local file inclusion and be chained toward full system compromise.

horizon3 blogNews

Dec 19, 2025

Gladinet CentreStack / Triofox Local File Inclusion (LFI) | CISA KEV | Active Exploitation

An unauthenticated local file inclusion (LFI) vulnerability in Gladinet CentreStack and Triofox, caused by hardcoded values in the AES cryptoscheme, allows attackers to include arbitrary local files via specially crafted requests. This affects publicly exposed endpoints and is actively exploited.

cyber security newsNews

Dec 19, 2025

Clop Ransomware Group Exploiting Gladinet CentreStack Servers to Steal Data

A vulnerability in CentreStack and Triofox where hardcoded cryptographic keys allow attackers to decrypt and forge access tickets, enabling persistent unauthorized access.

cyberthroneNews

Dec 16, 2025

CISA Adds Gladinet Crypto Flaw and Apple WebKit Zero-Days to KEV Catalog

A critical vulnerability in Gladinet CentreStack and Triofox platforms due to hardcoded cryptographic keys, allowing attackers to decrypt data, bypass integrity checks, and potentially achieve remote code execution when chained with other flaws.

+4 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence1

Every observed campaign linking this CVE to a named adversary.

Associated malware2

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity25

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-14611

NVD

nvd.nist.gov/vuln/detail/CVE-2025-14611

MITRE CWE · CWE-321

cwe.mitre.org

Third Party Advisory

huntress.com/blog/active-exploitation-gladinet-centrestack-triofox-insecure-cryptography-vulnerability

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-14611