CVE-2025-14611
Gladinet CentreStack and TrioFox Hard Coded AES Keys
In short
Gladinet CentreStack and TrioFox use hardcoded encryption keys instead of unique ones, which weakens security and allows unauthorized access to files on public-facing systems without logging in.
Technical detail
CWE-798 hardcoded cryptographic keys in AES implementation allows unauthenticated attackers to craft requests targeting publicly exposed endpoints for arbitrary local file inclusion (LFI); impacts versions prior to 16.12.10420.56791 and may chain with other vulnerabilities for system compromise.
Summary generated and translated by AI from the official description.
Gladinet CentreStack and Triofox prior to version 16.12.10420.56791 used hardcoded values for their implementation of the AES cryptoscheme. This degrades security for public exposed endpoints that may make use of it and may offer arbitrary local file inclusion when provided a specially crafted request without authentication. This opens the door for future exploitation and can be leveraged with previous vulnerabilities to gain a full system compromise.
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H/E:A
Affected products
Gladinet · CentreStack and TrioFoxpublic PoCs found — 1
githubgithub.com/pl4tyz/CVE-2025-14611-CentreStack-and-Triofox-full-Poc-Exploit★ 0⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →