A new actively exploited vulnerability in Gladinet's CentreStack and Triofox products. The use of hard-coded cryptographic keys could allow threat actors to decrypt or forge access tickets. As many as nine organizations have been affected by the newly disclosed flaw.

The attacks originate from the IP address

147.124.216[. ]205 and attempt to chain together a previously disclosed flaw in the same applications with the new exploit to access the machine key from the web.config file.

In light of active exploitation, organizations that are using Centre stack should update to the latest version,

16.12.10420.56791, released on December 8, 2025.

After CVE-2025-30406 and CVE-2025-11371, it is now the third Center stack vulnerability that has been actively exploited in the wild since the beginning of the year. CVE-2025-14611 is the CVE identifier for a hard-coded cryptographic scheme vulnerability. The vulnerability has also been added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S.

Cybersecurity and Infrastructure Security Agency (CISA), which mandates that federal agencies implement the fixes by January 5,

2026.

"There's strong circumstantial evidence, but we can't say for sure it's the same threat actor," stated Anna Pham, a senior hunt and response analyst at Huntress. According to her, "the threat actor is chaining all three Gladinet vulnerabilities in a single, orchestrated attack flow." According to CISA, the vulnerability weakens security for publicly accessible endpoints that might exploit it and may allow arbitrary local file inclusion when given a specially constructed request without authentication. (Details of the CVE were added to the story after it was published on December 16,

2025.)