CVE-2025-14611

Name of the Vulnerable Software and Affected Versions Gladinet CentreStack and Triofox versions prior to 16.12.10420.56791

Description Gladinet CentreStack and Triofox utilize hardcoded values in their AES cryptoscheme implementation. This weakens security, particularly for publicly exposed endpoints, and allows for arbitrary local file inclusion through specially crafted, unauthenticated requests. Exploitation of this issue can potentially lead to a full system compromise, especially when combined with other existing weaknesses. The vulnerability resides in the UploadDownloadProxy component's filesrv action, where hardcoded values are used for AES encryption. Successful decryption or forgery of tickets allows attackers to download arbitrary files from the host machine. Reports indicate active exploitation of this flaw in the wild, with attackers leveraging it to extract sensitive configuration files and potentially execute unauthorized code.

Recommendations Update Gladinet CentreStack and Triofox to version 16.12.10420.56791 or later.