CVE-2025-14611 Overview
CVE-2025-14611 is a critical hardcoded credentials vulnerability affecting Gladinet CentreStack and Triofox enterprise file sharing solutions prior to version 16.12.10420.56791. The vulnerability stems from the use of hardcoded values in the AES cryptographic implementation, which severely degrades the security posture of publicly exposed endpoints. Attackers can exploit this weakness to achieve arbitrary local file inclusion through specially crafted unauthenticated requests, potentially leading to full system compromise when chained with other vulnerabilities.
Critical Impact
This vulnerability is actively exploited in the wild and has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. Organizations running vulnerable versions of Gladinet CentreStack or Triofox should prioritize immediate patching.
Affected Products
- Gladinet CentreStack versions prior to 16.12.10420.56791
- Gladinet Triofox versions prior to 16.12.10420.56791
Discovery Timeline
- 2025-12-12 - CVE-2025-14611 published to NVD
- 2025-12-16 - Last updated in NVD database
Technical Details for CVE-2025-14611
Vulnerability Analysis
This vulnerability falls under CWE-798 (Use of Hard-coded Credentials), a configuration and design flaw that represents a significant departure from cryptographic best practices. The core issue lies in Gladinet's implementation of AES encryption within CentreStack and Triofox, where static, hardcoded key values are used instead of dynamically generated or securely stored cryptographic keys.
When cryptographic keys are hardcoded into application code, they become discoverable through reverse engineering, static analysis, or examination of deployed binaries. Once an attacker recovers these keys, they can decrypt protected communications, forge authenticated requests, and bypass security controls that depend on the cryptographic integrity of the system.
The network-accessible nature of this vulnerability is particularly concerning for enterprise deployments where CentreStack and Triofox instances are exposed to the internet for remote file access functionality. The attack requires high complexity to execute but requires no authentication or user interaction, making it suitable for automated exploitation campaigns.
Root Cause
The root cause of CVE-2025-14611 is the implementation decision to use static, hardcoded values for AES encryption rather than employing proper key management practices. Secure cryptographic implementations require unique keys that are:
- Generated using cryptographically secure random number generators
- Stored securely outside of application code (e.g., hardware security modules, secure key vaults)
- Rotated periodically according to organizational security policies
- Unique per installation or deployment
By embedding encryption keys directly in the application code, Gladinet created a scenario where every installation of the affected versions shares identical cryptographic material, effectively nullifying the security benefits of encryption for any attacker who obtains the hardcoded keys.
Attack Vector
The vulnerability is exploitable over the network against publicly exposed CentreStack and Triofox endpoints. Attackers can leverage knowledge of the hardcoded AES keys to craft malicious requests that bypass cryptographic protections. The exploitation flow involves:
The attacker first recovers the hardcoded AES key values from the vulnerable application through reverse engineering or from publicly available exploit information. Using these keys, the attacker can then craft specially formed requests that the application will accept as legitimate cryptographically protected communications. The malformed requests can be used to trigger arbitrary local file inclusion, allowing the attacker to read sensitive files from the server filesystem without authentication.
According to Huntress research, this vulnerability can be combined with previous vulnerabilities in the product to achieve full system compromise, escalating from information disclosure to complete control of the affected server.
Detection Methods for CVE-2025-14611
Indicators of Compromise
- Unusual file access patterns on CentreStack or Triofox servers, particularly requests for sensitive configuration files or system files
- Anomalous authentication-bypass attempts in web server logs targeting Gladinet endpoints
- Unexpected outbound connections from Gladinet servers that may indicate post-exploitation activity
- Evidence of file read operations outside of normal user directories or shares
Detection Strategies
- Monitor web application firewall (WAF) logs for malformed or suspicious requests targeting Gladinet CentreStack and Triofox endpoints
- Implement file integrity monitoring on Gladinet server installations to detect unauthorized configuration changes or exploitation artifacts
- Deploy network intrusion detection signatures for known CVE-2025-14611 exploitation patterns
- Review server access logs for unauthenticated requests to sensitive API endpoints
Monitoring Recommendations
- Enable verbose logging on all Gladinet CentreStack and Triofox instances to capture detailed request information
- Configure alerts for local file inclusion patterns such as directory traversal sequences (../) in request parameters
- Monitor for reconnaissance activity targeting Gladinet infrastructure, including version fingerprinting attempts
- Establish baseline network behavior for Gladinet servers and alert on deviations
How to Mitigate CVE-2025-14611
Immediate Actions Required
- Upgrade all Gladinet CentreStack and Triofox installations to version 16.12.10420.56791 or later immediately
- Audit network exposure of Gladinet servers and restrict access where possible using firewall rules or VPN requirements
- Review server logs for any evidence of prior exploitation attempts
- Rotate any credentials or secrets that may have been exposed through file inclusion attacks
Patch Information
Gladinet has addressed this vulnerability in version 16.12.10420.56791 of both CentreStack and Triofox. Organizations should upgrade to this version or later as the primary remediation measure. Given that this vulnerability is listed in the CISA Known Exploited Vulnerabilities Catalog, federal agencies are required to remediate within mandated timeframes, and all organizations are strongly encouraged to treat this as a critical priority.
Workarounds
- If immediate patching is not possible, restrict network access to Gladinet servers to trusted IP ranges only using firewall rules
- Place affected Gladinet instances behind a VPN to eliminate direct internet exposure
- Implement a web application firewall (WAF) with rules to detect and block local file inclusion attempts
- Consider temporarily disabling public-facing Gladinet services until patching can be completed
# Example: Restrict access to Gladinet server using iptables
# Allow access only from trusted corporate network
iptables -A INPUT -p tcp --dport 443 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
# Verify Gladinet version after patching
# Check the installed version in the Gladinet management console
# Ensure version is 16.12.10420.56791 or higher
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
