CVE-2025-14611: Actively Exploited Hardcoded Encryption Key Flaw in Gladinet Platforms

Overview

CVE-2025-14611 is a high-risk security vulnerability identified in the Gladinet CentreStack and Triofox file-sharing platforms. The issue is caused by the use of hardcoded encryption keys, which weakens the authentication process. As a result, unauthorized access can be gained, sensitive files can be retrieved, and under certain conditions, remote code execution can occur.

This vulnerability has been actively exploited in real-world attacks since early December 2025. Due to the confirmed exploitation, it was added to the CISA Known Exploited Vulnerabilities (KEV) catalog on December 13, 2025.

Vulnerability Summary

Classification and Severity

CVE ID: CVE-2025-14611
Severity Score (CVSS): 7.1 (High)
Weakness Category: CWE-798 – Use of hard-coded credentials
Affected Products: Gladinet CentreStack and Triofox
Affected Versions: All versions earlier than 16.12.10420.56791
Fixed Version: 16.12.10420.56791, released on December 8, 2025
Exploitable: Yes

Root Cause Explanation

The issue originates from how encryption is implemented in the affected applications. When the CentreStack or Triofox server starts, encryption keys are generated using internal program logic. However, these keys are not randomly created.

Instead:

The encryption key is always generated from the same fixed 32-byte string (derived from Chinese text).
The initialization vector (IV) is always generated from the same fixed 16-byte string (derived from Japanese marketing text).

Because these values are hardcoded and never change, anyone who obtains them once can reuse them indefinitely. This allows encrypted authentication data to be decrypted, modified, or recreated, removing the protection that encryption is supposed to provide.

How the Vulnerability Is Exploited

The application includes a web handler (filesvr.dn) that processes encrypted access tickets passed through a web request parameter.

Each access ticket normally contains:

The file path on the server
The username
The password
The time the ticket was created

Attackers abuse this process by creating forged access tickets using the known encryption keys. These malicious tickets are crafted with:

Empty username and password fields, forcing the system to default to the IIS application pool identity
A timestamp set far in the future (year 9999), making the ticket effectively permanent
A file path pointing to sensitive configuration files, such as web.config

This approach allows files to be accessed without authentication.

Attack Chain and Overall Impact

Multi-Step Exploitation Observed

In multiple incidents, this vulnerability has been used together with CVE-2025-11371, resulting in full system compromise:

Initial Access: Authentication tickets are forged using the hardcoded keys
Sensitive File Access: The web.config file is retrieved
Key Extraction: ASP.NET machine keys are obtained from the configuration file
Deserialization Abuse: ViewState deserialization attacks are attempted
Remote Code Execution: Arbitrary commands can be executed on the server

Security Risks

This vulnerability introduces several serious risks:

Unauthorized file access, including sensitive system and configuration files
Bypassing of authentication controls
Exposure of encrypted data, both in storage and during transmission
Full system compromise, when combined with other vulnerabilities

Active Exploitation Details

Confirmed Attack Activity

As of December 10, 2025, security researchers reported confirmed compromises across at least nine organizations, including healthcare and technology sectors.

Observed attack behavior included:

Initial scanning using CVE-2025-11371
Exploitation of CVE-2025-14611 to retrieve web.config
Attempts to execute malicious code via ViewState deserialization

All observed attacks originated from the IP address:

147.124.216[.]205

Indicators of Compromise (IOCs)

The following indicators should be reviewed immediately:

Encrypted file path string:
vghpI7EToZUDIZDdprSubL3mTZ2
Suspicious web requests:
/storage/filesvr[.]dn?t=vghpI7EToZUDIZDdprSubL3mTZ2
Known attacker IP:
147.124.216[.]205

Required Mitigation Steps

Immediate Actions

The following actions are strongly recommended:

Upgrade Software Immediately
- Update CentreStack and Triofox to version 16.12.10420.56791 or later
Rotate Machine Keys
- After patching, regenerate ASP.NET machine keys in all web.config files
Reduce External Exposure
- Restrict public access to CentreStack and Triofox endpoints where possible
Review Logs
- Search IIS and application logs for the IOC string listed above

CISA Requirements

Because this vulnerability is listed in the CISA KEV catalog, federal agencies are required to remediate it under Binding Operational Directive (BOD) 22-01. Organizations supporting critical infrastructure are strongly advised to treat this issue as a priority due to the potential impact on system integrity and data confidentiality.

Risk Considerations

According to CVSS v4.0 scoring:

The attack can be launched remotely
No user interaction or authentication is required
While technical complexity is high, publicly exposed systems are at significant risk
Internet-facing deployments are especially vulnerable

Affected and Fixed Versions

Affected

All CentreStack and Triofox versions earlier than 16.12.10420.56791

Fixed

Version 16.12.10420.56791, released on December 8, 2025

Immediate upgrading is required, followed by key rotation to fully mitigate the risk.

Detecting Internet-Exposed Servers

Internal Network Checks

Identify installations in default paths such as:
- C:\Program Files (x86)\Gladinet Cloud Enterprise\
- C:\Program Files (x86)\CentreStack\
- C:\Program Files (x86)\Triofox\
Check for web.config files in both root and portal directories

External Exposure Review

Identify systems accessible from the internet
Look for exposed handlers such as /storage/filesvr.dn
Review firewall rules, NAT, and port-forwarding configurations

Log and Behavior Monitoring

IIS and Application Logs

Look for requests referencing the IOC string
Review access attempts to filesvr.dn

Windows Event Logs

Check for Event ID 1316 indicating ViewState validation failures
Review Base64-encoded payloads for suspicious commands

Behavioral Indicators

Unexpected access to web.config
Abnormal IIS child processes
PowerShell execution from IIS
Outbound connections to unknown destinations
Creation of new administrative user accounts

Final Takeaway

CVE-2025-14611 represents a serious and actively exploited security weakness in Gladinet CentreStack and Triofox that directly affects authentication and file access controls. Because encryption keys were permanently embedded in the application, attackers are able to bypass security protections that would normally prevent unauthorized access. This design flaw removes a fundamental layer of trust from the system.

The vulnerability has already been used in real attacks and has been formally recognized by CISA as a known exploited issue. Internet-facing deployments are especially exposed, as exploitation can occur remotely without credentials or user interaction. When combined with other vulnerabilities, the impact can escalate from data exposure to full system compromise.

Organizations running CentreStack or Triofox should assume that unpatched systems are at immediate risk. Prompt upgrading to the fixed version, followed by rotation of machine keys and review of logs, is essential to reduce exposure. Delaying remediation increases the likelihood of unauthorized access, data loss, and potential regulatory or operational consequences.

In summary, this vulnerability should be treated as high priority, with remediation actions taken as soon as possible to protect systems, data, and business operations.