CVE-2025-14611

What is Gladinet CentreStack?

Gladinet CentreStack and Triofox are enterprise private cloud file server and sync/share platforms that organizations deploy on-premises to provide Dropbox/OneDrive-style file sharing without using public cloud storage. They are built on ASP.NET and hosted on Windows Server / IIS. This is the second critical Gladinet vulnerability in 2025: CVE-2025-30406 (April 2025) involved the ASP.NET ViewState machine key being hardcoded in the default configuration. CVE-2025-14611 is a distinct, separate vulnerability — hardcoded AES encryption keys in the file transfer subsystem — but the attack chain can escalate to the same ViewState RCE outcome.

Overview

CVE-2025-14611 is a critical hardcoded cryptographic key vulnerability (CWE-798, CVSS 9.8) in Gladinet CentreStack and Triofox. The GladCtrl64.dll component uses static, hardcoded AES-256 keys (using Chinese text as the encryption key and Japanese marketing text as the initialization vector) to encrypt "Access Tickets" — file path tokens used by the filesvr.dn HTTP handler. Because the keys are identical in every installation, an attacker can decrypt legitimate tickets, forge malicious ones with arbitrary file paths, and read arbitrary files from the server unauthenticated — including web.config, which contains the ASP.NET machine key needed for ViewState deserialization RCE. Huntress discovered active exploitation on December 2, 2025, with Clop ransomware intelligence linking the campaign to ransomware actors.

Affected Versions

Technical Details

The vulnerability (CWE-798: Use of Hard-coded Credentials) is in GladCtrl64.dll, which implements the filesvr.dn HTTP handler for file access. The handler uses AES-256 encryption for "Access Tickets" — tokens containing file paths, access permissions, and expiration timestamps. The encryption keys are hardcoded directly in the DLL:

• Encryption key: A static string of Chinese text (identical in every installation)
• Initialization vector (IV): A static string of Japanese marketing text (identical in every installation)

The full exploit chain:

1. Ticket forgery: Using the known hardcoded keys, an attacker creates a forged Access Ticket for any file path — including C:\Program Files (x86)\Gladinet Cloud Enterprise\root\web.config. Forged tickets use an expiration timestamp of year 9999 to ensure they are always valid.
2. Local file inclusion (LFI): The forged ticket is submitted to the filesvr.dn endpoint, which returns the requested file without authentication.
3. Machine key extraction: The web.config file contains the ASP.NET <machineKey> values used for ViewState signing.
4. ViewState deserialization RCE: Using the extracted machine key, the attacker forges a malicious ASP.NET ViewState payload containing a .NET gadget chain, submits it to any CentreStack/Triofox ASP.NET endpoint, and achieves unauthenticated remote code execution.

Detection indicator: Scan logs for the encrypted string vghpI7EToZUDIZDdprSubL3mTZ2 — a characteristic artifact of exploit attempts against the filesvr.dn endpoint.

Discovery

Huntress Labs researchers, who received a customer incident report on December 2, 2025, and confirmed active exploitation across multiple organizations.

Exploitation Context

Active exploitation confirmed from approximately December 10, 2025, with at least 9 organizations impacted in the initial wave. Attacks originated from IP 147.124.216[.]205. Additional incidents occurred December 15. Intelligence from December 18 links the campaign to the Clop ransomware group (TA505, Graceful Spider) — the same group that exploited Oracle EBS (CVE-2025-61882) and the MOVEit/GoAnywhere vulnerabilities in prior years. Clop's established playbook of targeting managed file transfer platforms makes Gladinet a consistent target. CISA added CVE-2025-14611 to the KEV catalog on December 15, 2025 with a January 5, 2026 deadline.

Note: CVE-2025-14611 is distinct from CVE-2025-30406 (the April 2025 ViewState machine key vulnerability) — they are different attack vectors on different code components, though both ultimately enable ViewState deserialization RCE.

Remediation

1. Upgrade CentreStack and Triofox to version 16.12.10420.56791 or later immediately.
2. Apply the CentreStack hardening guide at https://support.centrestack.com/hc/en-us/articles/360007159054 — specifically rotate the AES encryption keys used by GladCtrl64.dll to unique values after upgrading.
3. Rotate the ASP.NET machine key in web.config to a newly generated unique value (as recommended by the hardening guide) — if the web.config was exfiltrated via the LFI, the machine key is compromised regardless of the upgrade.
4. Scan logs for exploit indicator vghpI7EToZUDIZDdprSubL3mTZ2 in HTTP request logs to filesvr.dn — this string indicates exploitation attempts.
5. Hunt for post-exploitation: check for new administrator accounts, unexpected files in CentreStack/IIS directories, and signs of lateral movement (domain admin group membership changes, unexpected RDP sessions).
6. Block IP 147.124.216[.]205 at perimeter firewalls if observed in logs.