Gladinet CentreStack and Triofox Hard-Coded Cryptographic Key Exploitation
Detects exploitation of CVE-2025-14611, a hard-coded cryptographic key vulnerability (CWE-798) in Gladinet CentreStack and Triofox. Attackers who obtain the static machineKey or cryptographic seed can forge ASP.NET ViewState tokens or authentication artifacts, enabling remote code execution via deserialization attacks without valid credentials. This vulnerability is actively exploited and listed on CISA KEV.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Gladinet
- Product
- CentreStack and Triofox
Weakness (CWE)
Timeline
- Disclosed
- December 15, 2025
CVSS
What is CVE-2025-14611 Gladinet CentreStack and Triofox Hard-Coded Cryptographic Key Exploitation?
Gladinet CentreStack and Triofox Hard-Coded Cryptographic Key Exploitation (CVE-2025-14611) maps to the Initial Access and Execution and Persistence tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for Gladinet CentreStack and Triofox Hard-Coded Cryptographic Key Exploitation, covering the data sources and telemetry it touches: IIS Logs, Windows Security Events, Microsoft Defender for Endpoint. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
- Tactic
- Initial Access Execution Persistence
let GladinetPaths = dynamic(['/portal/', '/api/', '/fileserver/', '/triofox/', '/centrestack/']);
let SuspiciousPostPatterns = dynamic(['__VIEWSTATE', 'ScriptManager', 'ToolkitScriptManager']);
let timeWindow = 1h;
union DeviceNetworkEvents, W3CIISLog
| where TimeGenerated > ago(timeWindow)
| where RequestMethod =~ 'POST'
| where csUriStem has_any (GladinetPaths)
| extend RequestBodyIndicator = extract(@'(__VIEWSTATE|ScriptManager)=[A-Za-z0-9+/]{200,}={0,2}', 0, csUriQuery)
| where isnotempty(RequestBodyIndicator) or sc_status in (500, 200)
| project TimeGenerated, ComputerName, cIP, csUriStem, csMethod = RequestMethod, sc_status, cs_User_Agent = UserAgent, RequestBodyIndicator
| join kind=leftouter (
SecurityEvent
| where TimeGenerated > ago(timeWindow)
| where EventID in (4688, 4624)
| where ProcessName has_any ('w3wp', 'IIS', 'cmd', 'powershell', 'wscript')
| project TimeGenerated, Computer, Account, ProcessName, CommandLine
) on $left.ComputerName == $right.Computer
| where isnotempty(ProcessName) or sc_status == 500
| summarize count(), make_set(cIP), make_set(csUriStem), make_set(ProcessName) by bin(TimeGenerated, 5m), ComputerName
| where count_ > 2Detects suspicious POST requests to Gladinet CentreStack or Triofox endpoints involving large ViewState payloads, combined with IIS worker process anomalies indicative of ViewState deserialization exploitation leveraging a hard-coded machineKey.
Data Sources
Required Tables
False Positives
- Legitimate large file upload operations through the CentreStack portal generating oversized POST bodies
- Automated backup or sync agents making frequent POST requests to the file server API
- Vulnerability scanners or penetration testing tools probing the web application endpoints
- Load balancer health checks generating repeated requests to portal paths
Sigma rule & cross-platform mapping
The detection logic for Gladinet CentreStack and Triofox Hard-Coded Cryptographic Key Exploitation (CVE-2025-14611) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: network_connection
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2025-14611
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Forged ASP.NET ViewState Payload Submission to CentreStack Endpoint
Expected signal: IIS access log entry showing POST to /portal/default.aspx with large cs-uri-query value; HTTP response code 500 if payload is malformed, 200 if bypassed; network events capturing the inbound connection
- Test 2IIS Worker Process Child Shell Spawn Simulation (Lab)
Expected signal: Windows Security Event ID 4688 for cmd.exe process creation; EDR process telemetry showing PowerShell spawning cmd.exe; file creation event for exploit_sim_output.txt in C:\Temp
- Test 3CentreStack web.config Hard-Coded MachineKey Inspection
Expected signal: File read event on web.config via Sysmon Event ID 11/4663; PowerShell script block logging capturing the content search pattern; output file creation at C:\Temp\machinekey_audit.txt
- Test 4Forged Authentication Token Submission via Hardcoded Key (Lab Only)
Expected signal: IIS access log showing GET request with .ASPXAUTH cookie header; Windows authentication event logs (Event ID 4624/4625) recording the authentication attempt; network events capturing the connection from the test host
Unlock Pro Content
Get the full detection package for CVE-2025-14611 including response playbook, investigation guide, and atomic red team tests.