Detect Gladinet CentreStack and Triofox Hard-Coded Cryptographic Key Exploitation in Splunk
Detects exploitation of CVE-2025-14611, a hard-coded cryptographic key vulnerability (CWE-798) in Gladinet CentreStack and Triofox. Attackers who obtain the static machineKey or cryptographic seed can forge ASP.NET ViewState tokens or authentication artifacts, enabling remote code execution via deserialization attacks without valid credentials. This vulnerability is actively exploited and listed on CISA KEV.
MITRE ATT&CK
- Tactic
- Initial Access Execution Persistence
SPL Detection Query
index=iis OR index=wineventlog sourcetype IN (iis, WinEventLog:Security)
| eval is_iis = if(sourcetype="iis", 1, 0)
| eval is_security = if(sourcetype="WinEventLog:Security", 1, 0)
| search (cs_uri_stem IN ("*/portal/*", "*/triofox/*", "*/centrestack/*", "*/fileserver/*") cs_method="POST") OR (EventCode IN (4688, 4624) AND (process_name IN ("w3wp.exe", "cmd.exe", "powershell.exe", "wscript.exe")))
| eval viewstate_hit = if(match(cs_uri_query, "__VIEWSTATE=[A-Za-z0-9+/]{200,}"), 1, 0)
| eval suspicious_process = if(process_name IN ("cmd.exe", "powershell.exe", "wscript.exe") AND parent_process_name="w3wp.exe", 1, 0)
| eval score = viewstate_hit + suspicious_process
| where score >= 1
| eval risk_level = case(suspicious_process=1, "CRITICAL", viewstate_hit=1, "HIGH", true(), "MEDIUM")
| stats count, values(c_ip) as source_ips, values(cs_uri_stem) as endpoints, values(process_name) as processes, max(risk_level) as max_risk by host, _time span=5m
| where count > 1
| sort -max_risk, -countDetects exploitation attempts of CVE-2025-14611 by correlating anomalous POST requests carrying large ViewState payloads to Gladinet endpoints with child process spawning from IIS worker processes, indicating successful deserialization RCE.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate administrative tasks performed through the CentreStack web interface generating large form submissions
- Automated monitoring tools polling the CentreStack API with valid large payloads
- Security scanning tools generating synthetic ViewState payloads during authorized assessments
- IIS application pool recycling events causing temporary w3wp.exe spawning patterns
Other platforms for CVE-2025-14611
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Forged ASP.NET ViewState Payload Submission to CentreStack Endpoint
Expected signal: IIS access log entry showing POST to /portal/default.aspx with large cs-uri-query value; HTTP response code 500 if payload is malformed, 200 if bypassed; network events capturing the inbound connection
- Test 2IIS Worker Process Child Shell Spawn Simulation (Lab)
Expected signal: Windows Security Event ID 4688 for cmd.exe process creation; EDR process telemetry showing PowerShell spawning cmd.exe; file creation event for exploit_sim_output.txt in C:\Temp
- Test 3CentreStack web.config Hard-Coded MachineKey Inspection
Expected signal: File read event on web.config via Sysmon Event ID 11/4663; PowerShell script block logging capturing the content search pattern; output file creation at C:\Temp\machinekey_audit.txt
- Test 4Forged Authentication Token Submission via Hardcoded Key (Lab Only)
Expected signal: IIS access log showing GET request with .ASPXAUTH cookie header; Windows authentication event logs (Event ID 4624/4625) recording the authentication attempt; network events capturing the connection from the test host
Unlock Pro Content
Get the full detection package for CVE-2025-14611 including response playbook, investigation guide, and atomic red team tests.