CVE-2025-14611
📋 TL;DR
This vulnerability in Gladinet CentreStack and Triofox involves hardcoded AES encryption keys, allowing attackers to decrypt sensitive data and potentially achieve arbitrary local file inclusion without authentication. Systems running affected versions with public-facing endpoints are at risk, particularly when combined with other vulnerabilities. This can lead to full system compromise.
💻 Affected Systems
- Gladinet CentreStack
- Triofox
📦 What is this software?
Centrestack by Gladinet
Triofox by Gladinet
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through arbitrary file inclusion combined with other vulnerabilities, leading to data theft, ransomware deployment, or complete system takeover.
Likely Case
Unauthenticated attackers decrypt sensitive data and achieve local file inclusion, enabling information disclosure and potential privilege escalation.
If Mitigated
Limited impact if systems are patched, isolated from internet, and have strong network segmentation preventing exploitation.
🎯 Exploit Status
Actively exploited in the wild according to CISA and Huntress reports. Exploitation requires no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.12.10420.56791
Vendor Advisory: https://www.gladinet.com/
Restart Required: Yes
Instructions:
1. Download version 16.12.10420.56791 or later from Gladinet. 2. Backup configuration and data. 3. Install the update following vendor instructions. 4. Restart the CentreStack/Triofox service.
🔧 Temporary Workarounds
Block Internet Access
allRestrict network access to CentreStack/Triofox endpoints from untrusted networks.
Use firewall rules to block inbound traffic to CentreStack/Triofox ports (default 80, 443, 8010)
Disable Public Endpoints
allConfigure CentreStack/Triofox to only listen on internal network interfaces.
Edit configuration to bind to internal IP addresses only
🧯 If You Can't Patch
- Isolate affected systems in a segmented network with strict access controls.
- Implement web application firewall (WAF) rules to block suspicious requests targeting the cryptoscheme endpoints.
🔍 How to Verify
Check if Vulnerable:
Check CentreStack/Triofox version in admin interface or configuration files. If version is below 16.12.10420.56791, system is vulnerable.Check Version:
On Windows: Check program version in Control Panel. On Linux: Check version in /opt/centrestack/ or similar installation directory.Verify Fix Applied:
Confirm version is 16.12.10420.56791 or higher in admin interface. Test that encryption functions use non-hardcoded keys.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to encryption/decryption endpoints
- Failed authentication attempts followed by file inclusion attempts
- Log entries showing unexpected file access
Network Indicators:
- Traffic patterns to CentreStack/Triofox ports with crafted payloads
- Unusual outbound connections from CentreStack/Triofox servers
SIEM Query:
source="centrestack.log" AND (uri="*crypt*" OR uri="*encrypt*" OR uri="*decrypt*") AND status=200