CVE-2025-14611

CRITICALCISA KEV

9.8

Description

Gladinet CentreStack and Triofox prior to version 16.12.10420.56791 used hardcoded values for their implementation of the AES cryptoscheme. This degrades security for public exposed endpoints that may make use of it and may offer arbitrary local file inclusion when provided a specially crafted request without authentication. This opens the door for future exploitation and can be leveraged with previous vulnerabilities to gain a full system compromise.

CVE Details

CVSS v3.1 Score9.8

SeverityCRITICAL

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredNONE

User InteractionNONE

Published12/12/2025

Last Modified12/16/2025

Sourcekev

Honeypot Sightings0

CISA KEV

VendorGladinet

ProductCentreStack and Triofox

Vulnerability NameGladinet CentreStack and Triofox Hard Coded Cryptographic Vulnerability

KEV Date Added2025-12-15

Remediation Due Date2026-01-05

Ransomware UseUnknown

Affected Products

gladinet:centrestackgladinet:triofox

Weaknesses (CWE)

CWE-798

References

https://www.huntress.com/blog/active-exploitation-gladinet-centrestack-triofox-insecure-cryptography-vulnerability(5dacb0b8-2277-4717-899c-254586fe4912)

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-14611(134c704f-9b21-4f2e-91b3-4a467353bcc0)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.