CVE-2025-14611 — Gladinet CentreStack and Triofox Hard Coded Cryptographic Vulnerability

2025-12-15 • CISA Known Exploited Vulnerability

[event] Gladinet CentreStack and TrioFox contain a hardcoded cryptographic keys vulnerability for their implementation of the AES cryptoscheme. This vulnerability degrades security for public exposed endpoints that may make use of it and may offer arbitrary local file inclusion when provided a specially crafted request without authentication.

> AFFECTED SOFTWARE

Field	Value
Vendor	Gladinet
Product	CentreStack and Triofox
CWE	CWE-798
CVE ID	CVE-2025-14611
Date Added	2025-12-15
Due Date	2026-01-05
Ransomware Campaign	Unknown

> MITIGATION

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Due Date: 2026-01-05

> REFERENCES

[1] https://www.centrestack.com/p/gce_latest_release.html
[2] https://access.triofox.com/releases_history/
[3] https://support.centrestack.com/hc/en-us/articles/360007159054-Hardening-the-Cen...
[4] https://nvd.nist.gov/vuln/detail/CVE-2025-14611