CVE-2025-14611

CRITICAL KEV NUCLEI

Gladinet CentreStack & Triofox <16.12.10420.56791 - Code Injection

Title source: llm

Exploitation Summary

CVE-2025-14611 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added December 15, 2025. EIP tracks 3 public exploits from researchers including dyeat, pl4tyz, Huntress Team, including a Metasploit module auxiliary/gather/gladinet_storage_access_ticket_forge. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2025-14611, targeting Gladinet CentreStack. It includes steps for arbitrary file read, key extraction, and RCE via deserialization using ysoserial.net. The PoC demonstrates encryption key manipulation and payload generation for exploitation.

Description

Gladinet CentreStack and Triofox prior to version 16.12.10420.56791 used hardcoded values for their implementation of the AES cryptoscheme. This degrades security for public exposed endpoints that may make use of it and may offer arbitrary local file inclusion when provided a specially crafted request without authentication. This opens the door for future exploitation and can be leveraged with previous vulnerabilities to gain a full system compromise.

Exploits (3)

github WORKING POC

by dyeat · pythonpoc

https://github.com/dyeat/cve-reproduction/tree/main/Gladinet/CentreStack/CVE-2025-14611

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2025-14611, targeting Gladinet CentreStack. It includes steps for arbitrary file read, key extraction, and RCE via deserialization using ysoserial.net. The PoC demonstrates encryption key manipulation and payload generation for exploitation.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Gladinet CentreStack < 16.12.10420.56791

No auth needed

Prerequisites: Access to target server · Ability to send HTTP requests · ysoserial.net for payload generation

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 22, 2026 Full analysis →

nomisec WORKING POC

by pl4tyz · remote-auth

https://github.com/pl4tyz/CVE-2025-14611-CentreStack-and-Triofox-full-Poc-Exploit

View Code ZIP pw:eip

This repository contains a detailed analysis and proof-of-concept exploit for CVE-2025-14611, which involves hardcoded cryptographic keys in Gladinet CentreStack and Triofox products. The exploit demonstrates arbitrary file read through forged access tickets, leveraging static AES-256 keys embedded in the application binary.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Gladinet CentreStack and Triofox versions prior to 16.12.10420.56791

No auth needed

Prerequisites: Access to the target server's endpoint · Knowledge of the hardcoded cryptographic keys

MITRE ATT&CK

T1552.001 - Credentials In Files T1110 - Brute Force

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC

by Huntress Team · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/gladinet_storage_access_ticket_forge.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2025-14611 by forging access tickets for Gladinet CentreStack/Triofox using hardcoded cryptographic keys. It allows arbitrary file reads, including Web.config extraction for potential RCE via machineKey.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Gladinet CentreStack/Triofox <= 16.12.10420.56791

No auth needed

Prerequisites: network access to target · knowledge of file paths

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed May 27, 2026 Full analysis →

Nuclei Templates (1)

Gladinet CentreStack & Triofox - Hardcoded Credentials

CRITICALVERIFIEDby 0xanis

FOFA: title="CentreStack" || title="Triofox"

References (2)

Core 2

Core References

Exploit, Third Party Advisory

https://www.huntress.com/blog/active-exploitation-gladinet-centrestack-triofox-insecure-cryptography-vulnerability

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-14611

Scores

CVSS v3 9.8

EPSS 0.8182

EPSS Percentile 99.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2025-12-15

VulnCheck KEV 2025-12-12

ENISA EUVD EUVD-2025-203165

CWE

CWE-798

Status published

Products (2)

gladinet/centrestack < 16.12.10420.56791

gladinet/triofox < 16.12.10420.56791

Published Dec 12, 2025

KEV Added Dec 15, 2025

Tracked Since Feb 18, 2026