What happened

CISA added CVE-2025-14611 (Gladinet CentreStack and Triofox) to the Known Exploited Vulnerabilities catalog, designating it as actively exploited in the wild CISA KEV. The flaw is a hardcoded cryptographic keys issue in the products’ AES implementation, which weakens protection for publicly exposed endpoints NVD entry. Per CISA’s record, successful abuse may enable arbitrary local file inclusion (LFI) via a specially crafted unauthenticated request CISA KEV. CISA’s required action is to apply vendor mitigations, follow applicable BOD 22-01 cloud guidance, or discontinue use if no mitigation is available CISA KEV. The due date for federal remediation is 2026-01-05 CISA KEV.

Why it matters

Hardcoded keys collapse the security model of symmetric encryption: anyone who learns the static key can decrypt or forge protected data without owning credentials NVD entry. When such crypto wraps request parameters or access tokens on internet-exposed file gateways, attackers gain leverage to pivot into sensitive paths or metadata flows CISA KEV. CISA’s inclusion in KEV signals confirmed exploitation pressure against these products, increasing risk of opportunistic mass scanning against public surfaces CISA KEV.

The vulnerability maps to CWE-798 (use of hard-coded credentials/keys), a class tied to systemic breakage of confidentiality and integrity guarantees NVD entry. In this case, the impact can include unauthenticated LFI according to the CVE description, which implies potential read-access to local files reachable by the application context NVD entry.

Technical detail

The core flaw: Gladinet CentreStack and Triofox use hardcoded cryptographic keys in their AES scheme NVD entry. When a symmetric key is embedded and static, any request element encrypted or signed with that key can be decrypted or forged by an adversary who recovers the key once, undermining authentication or authorization checks that rely on it NVD entry. CISA’s write-up states that the weakness degrades the security of public endpoints leveraging the mechanism, and may allow arbitrary local file inclusion through an unauthenticated, specially crafted request CISA KEV. The CVE also associates with CWE-798, affirming the “hard-coded secret” category MITRE CVE record.

While implementation specifics are not publicly detailed in the advisory sources, the described behavior is consistent with a pattern where encrypted parameters or tokens guard file paths or resource selectors; if the key is universal and discoverable, an attacker can craft ciphertexts that resolve to arbitrary local resources handled by the server NVD entry. Because the impact is described as achievable without authentication, any internet-facing deployment increases the attack surface for automated exploitation attempts CISA KEV.

Defense

Immediate priorities:

• Treat internet exposure as high risk for affected endpoints and apply vendor mitigations or updates per CISA guidance CISA KEV.
• Follow BOD 22-01-aligned hardening for cloud-exposed services (restrict exposure, enforce network policy, and remove unauthenticated access where feasible) CISA KEV.
• If mitigations are unavailable, plan to discontinue or isolate the product as directed by CISA CISA KEV.

Operational controls while patching/mitigating:

• Reduce attack surface: gate public endpoints behind VPN or IP allowlists; disable unauthenticated routes associated with file-access paths where possible CISA KEV.
• Monitor for exploitation patterns: spikes in unauthenticated requests to file-access endpoints, anomalous path selectors, or repeated failed access to local resource URIs consistent with LFI probing NVD entry.
• Align remediation timeline to KEV due date (2026-01-05) and track closure in vulnerability management processes CISA KEV.

Lyrie Verdict

This is pre-auth crypto misuse in an internet-facing file gateway—perfect fuel for automated scanners and agentic adversaries driving machine-speed request mutation CISA KEV. Lyrie ingests KEV updates in real time and prioritizes detections for CVE-2025-14611-class traffic: unauthenticated parameterized requests that carry deterministic crypto artifacts and produce file-access side effects NVD entry. We auto-correlate these with service fingerprints for CentreStack/Triofox to flag exposure, suppress false positives, and escalate only when LFI-like responses or traversal indicators are observed—no human-in-the-loop delay CISA KEV. For anti-rogue-AI defense, that means your perimeter reacts at compute speed to the same automated techniques attackers use.