Gladinet CentreStack / Triofox Local File Inclusion (LFI) | CISA KEV | Active Exploitation
CVE-2025-14611 is an unauthenticated local file inclusion (LFI) vulnerability in Gladinet CentreStack and Triofox. The issue stems from hardcoded values used in the AES cryptoscheme in vulnerable versions. In practice, this can degrade security for publicly exposed endpoints and may allow arbitrary local file inclusion when a specially crafted request is provided without authentication.
Technical Details
- CentreStack and Triofox versions prior to 16.12.10420.56791 used hardcoded values for their implementation of the AES cryptoscheme.
- This degrades security for publicly exposed endpoints that use the cryptoscheme and may enable arbitrary local file inclusion via a specially crafted unauthenticated request.
- Active exploitation has been reported publicly, and defenders should treat exposed instances as high priority.
- CISA has added CVE-2025-14611 to the Known Exploited Vulnerabilities (KEV) catalog.
Stop Guessing, Start Proving
NodeZero® Offensive Security Platform — Rapid Response
The Gladinet CentreStack / Triofox Rapid Response test for CVE-2025-14611 enables customers to safely verify whether CentreStack and Triofox instances are exploitable via this path, and to confirm remediation once fixes are applied.
- Run the Rapid Response test to assess both internet-facing and internal CentreStack or Triofox portal endpoints.
- Patch immediately by upgrading CentreStack and Triofox to version 16.12.10420.56791 or later, and reduce risk by restricting public access to portal endpoints wherever possible.
- Re-run the Rapid Response test after applying fixes to confirm exploitability has been removed.
If the Rapid Response test confirms exploitability, treat this as an incident. Preserve logs, isolate affected systems, and validate whether sensitive configuration material was accessed or used for follow-on activity.
Indicators of Compromise (IOCs) — hunting guidance
| Indicator | Type | Description / detection tips |
Requests to UploadDownloadProxy filesrv paths | Network / Web | Look for unusual unauthenticated requests touching UploadDownloadProxy endpoints, especially patterns consistent with crafted “ticket” values. |
Attempts to retrieve sensitive configuration files (e.g., web.config) | File / Behavior | Hunt for access to configuration files that could enable follow-on compromise. Correlate with suspicious portal traffic. |
| Encrypted path string vghpI7EToZUDIZDdprSubL3mTZ2 | Web / Artifact | Reported as an encrypted representation of the web.config file path. Search proxy, WAF, and web server logs for this value. |
| Follow-on host and web-server anomalies | Host / Behavior | Defensive guidance: watch for unusual child processes, new scheduled tasks, or unexpected outbound connections originating from the server after suspicious portal activity. |
Affected Versions & Patch
- Affected: Gladinet CentreStack and Triofox versions prior to 16.12.10420.56791.
- Patch: Upgrade to version 16.12.10420.56791 or later, then validate exploitability has been eliminated.
Recommended actions (summary)
- Inventory and scope all CentreStack and Triofox instances, including MSP-managed and internal deployments.
- Patch immediately and restrict public exposure of portal endpoints where feasible.
- Hunt for IOC signals associated with suspicious portal requests and sensitive file access attempts.
- Verify remediation by re-testing after upgrades.
References
🔗 CISA Alert (Dec 15, 2025) — Adds CVE-2025-14611 to KEV
🔗 Huntress — Active exploitation and mitigation guidance
🔗 GitHub Advisory Database — CVE-2025-14611 summary
🔗 The Hacker News — log-hunt string vghpI7EToZUDIZDdprSubL3mTZ2
