CVE-2025-14611 Google Chronicle · YARA-L

Detect Gladinet CentreStack and Triofox Hard-Coded Cryptographic Key Exploitation in Google Chronicle

Detects exploitation of CVE-2025-14611, a hard-coded cryptographic key vulnerability (CWE-798) in Gladinet CentreStack and Triofox. Attackers who obtain the static machineKey or cryptographic seed can forge ASP.NET ViewState tokens or authentication artifacts, enabling remote code execution via deserialization attacks without valid credentials. This vulnerability is actively exploited and listed on CISA KEV.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule cve_2025_14611_gladinet_hardcoded_key {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects CVE-2025-14611 exploitation in Gladinet CentreStack/Triofox via hard-coded cryptographic key abuse"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://nvd.nist.gov/vuln/detail/CVE-2025-14611"
    mitre_attack = "T1190, T1059, T1078"

  events:
    // IIS POST to Gladinet endpoints with large payload (ViewState deserialization)
    $web.metadata.event_type = "NETWORK_HTTP"
    $web.network.http.method = "POST"
    (
      $web.target.url.path = /\/portal\// or
      $web.target.url.path = /\/triofox\// or
      $web.target.url.path = /\/centrestack\// or
      $web.target.url.path = /\/fileserver\//
    )
    (
      $web.network.http.response_code = 500 or
      strings.length($web.target.url.query) > 500
    )
    $web.target.hostname = $host

    // Suspicious process spawn from IIS worker within 2 minutes
    $proc.metadata.event_type = "PROCESS_LAUNCH"
    (
      $proc.target.process.file.full_path = /cmd\.exe/ or
      $proc.target.process.file.full_path = /powershell\.exe/ or
      $proc.target.process.file.full_path = /wscript\.exe/ or
      $proc.target.process.file.full_path = /cscript\.exe/
    )
    $proc.target.process.parent_process.file.full_path = /w3wp\.exe/
    $proc.principal.hostname = $host

    $web.metadata.event_timestamp.seconds < $proc.metadata.event_timestamp.seconds
    $proc.metadata.event_timestamp.seconds - $web.metadata.event_timestamp.seconds < 120

  condition:
    $web and $proc
}
critical severity high confidence

Chronicle YARA-L rule correlating suspicious POST requests to Gladinet CentreStack/Triofox web paths with child process spawning from IIS worker processes, indicating active exploitation of the hard-coded machineKey deserialization vulnerability.

Data Sources

Chronicle UDMHTTP Log FeedsWindows Process Events via EDR

Required Tables

UDM Events

False Positives & Tuning

  • Legitimate large POST requests to the CentreStack portal during high-volume file sync operations
  • Authorized PowerShell scripts running under the IIS application pool account for maintenance tasks
  • Security assessments where synthetic ViewState payloads are used to test defenses
  • Application deployment automation that spawns cmd.exe from w3wp.exe during CentreStack updates

Other platforms for CVE-2025-14611

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Forged ASP.NET ViewState Payload Submission to CentreStack Endpoint

    Expected signal: IIS access log entry showing POST to /portal/default.aspx with large cs-uri-query value; HTTP response code 500 if payload is malformed, 200 if bypassed; network events capturing the inbound connection

  2. Test 2IIS Worker Process Child Shell Spawn Simulation (Lab)

    Expected signal: Windows Security Event ID 4688 for cmd.exe process creation; EDR process telemetry showing PowerShell spawning cmd.exe; file creation event for exploit_sim_output.txt in C:\Temp

  3. Test 3CentreStack web.config Hard-Coded MachineKey Inspection

    Expected signal: File read event on web.config via Sysmon Event ID 11/4663; PowerShell script block logging capturing the content search pattern; output file creation at C:\Temp\machinekey_audit.txt

  4. Test 4Forged Authentication Token Submission via Hardcoded Key (Lab Only)

    Expected signal: IIS access log showing GET request with .ASPXAUTH cookie header; Windows authentication event logs (Event ID 4624/4625) recording the authentication attempt; network events capturing the connection from the test host

Last updated: 2026-06-19 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2025-14611 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003Persistence

Related Techniques

T1190Exploit Public-Facing ApplicationT1059.001PowerShellT1078Valid Accounts

Same Tactic: Initial Access

Popular Detections