CVE-2025-14611

CRITICAL KEV NUCLEI

Gladinet CentreStack & Triofox <16.12.10420.56791 - Code Injection

Title source: llm

Description

Gladinet CentreStack and Triofox prior to version 16.12.10420.56791 used hardcoded values for their implementation of the AES cryptoscheme. This degrades security for public exposed endpoints that may make use of it and may offer arbitrary local file inclusion when provided a specially crafted request without authentication. This opens the door for future exploitation and can be leveraged with previous vulnerabilities to gain a full system compromise.

Exploits (1)

nomisec WORKING POC

by pl4tyz · remote-auth

https://github.com/pl4tyz/CVE-2025-14611-CentreStack-and-Triofox-full-Poc-Exploit

View Code ZIP pw:eip

Nuclei Templates (1)

Gladinet CentreStack & Triofox - Hardcoded Credentials

CRITICALVERIFIEDby 0xanis

FOFA: title="CentreStack" || title="Triofox"

References (2)

[Exploit, Third Party Advisory] https://www.huntress.com/blog/active-exploitation-gladinet-centrestack-triofox-insecure-cryptography-vulnerability

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-14611

Scores

CVSS v3 9.8

EPSS 0.5886

EPSS Percentile 98.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CISA KEV 2025-12-15

VulnCheck KEV 2025-12-12

ENISA EUVD EUVD-2025-203165

CWE

CWE-798

Status published

Products (2)

gladinet/centrestack < 16.12.10420.56791

gladinet/triofox < 16.12.10420.56791

Published Dec 12, 2025

KEV Added Dec 15, 2025

Tracked Since Feb 18, 2026