Cybersecurity Alert - Threat Actors Exploiting Gladinet CentreStack and TrioFox Vulnerabilities

Impact: All Firms Using Gladinet CentreStack or TrioFox Applications

FINRA firms should be aware of multiple critical vulnerabilities in Gladinet’s CentreStack or TrioFox file sharing and collaboration software applications, which threat actors are actively exploiting to gain unauthorized access and remote control of organizational systems. 

FINRA recommends sharing this Cyber Alert with appropriate information technology and information security personnel—as well as any third-party vendors that may use this Gladinet applications—to identify whether your firm is impacted and take immediate steps to protect your environments.

BACKGROUND

Gladinet is a technology company that specializes in cloud storage and file management solutions. In response to evidence that threat actors have actively been exploiting weak data encryption protocols¹ in these applications, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-14611 to its Known Exploited Vulnerabilities (KEV) Catalog on Dec. 15, 2025. This critical insecure cryptography vulnerability affects Gladinet CentreStack and TrioFox products prior to version 16.12.10420.56791.

Threat actors—including the known ransomware group Clop²—are confirmed to have already exploited these vulnerabilities to gain access to organizations’ systems, with many of these attacks coming from the same IP address (147.124.216[.]205). These threat actors have expanded their attacks by exploiting two additional vulnerabilities (CVE-2025-11371 and CVE-2025-30406) to bypass authentication controls, execute malicious code, and steal data on the target server. 

If your firm uses Gladinet CentreStack or TrioFox for file sharing or collaboration, these vulnerabilities could allow unauthorized access and control of systems and data, and ongoing unauthorized access to your environment. 

RECOMMENDED ACTIONS

FINRA strongly encourages member firms using Gladinet CentreStack or TrioFox to immediately share the following information with their cybersecurity and technology management personnel so they can take urgent steps to protect their environments. Firms should consult the hyperlinks contained in the Technical Details section below for specific instructions on updating vulnerable systems, and consider the following actions to mitigate the risk associated with this vulnerability:

1. Patching/Upgrading:³ Because threat actors are currently exploiting this vulnerability, the most direct and critical mitigation is to immediately update all Gladinet CentreStack and TrioFox deployments to version 16.12.10420.56791 or newer. Always first test patches in a non-production environment (see Technical Details section below CVE-2025-11371, CVE-2025-30406 and CVE-2025-14611 for additional information).
2. Rotate Machine Keys:⁴ After updating, immediately rotate (change) the machine Key in the server's web.config file. This critical step invalidates any malicious ViewState payloads an attacker may have generated using previously compromised keys.
3. Network Segmentation & Access Control:⁵ If possible, block the reported threat actor IP address 147.124.216[.]205 at the network perimeter (firewall/WAF), although attackers may quickly switch sources. Implement network segmentation and access controls to limit the blast radius in case of compromise. Restrict access to vulnerable services to only necessary users and IP ranges.
4. Scan for Indicators of Compromise (IoCs):⁶ Review IIS logs and application event logs for signs of compromise. Specifically search for the encrypted string vghpI7EToZUDIZDdprSubL3mTZ2 in GET requests to /storage/filesvr.dn. This string represents the encrypted path to the sensitive web.config file and indicates potential exploitation.
5. Check for Persistence/Backdoors:⁷ Thoroughly inspect compromised or potentially compromised host systems for unauthorized files, new user accounts, or persistent access mechanisms (e.g., scheduled tasks, modified web application files, registry changes) that may have been established by attackers after achieving remote code execution.
6. Review Application Pool Identity:⁸ Validate that the IIS Application Pool Identity under which CentreStack/TrioFox runs has the principle of least privilege applied, limiting its ability to perform high-privilege system actions if RCE is achieved.

Technical Details

• CVE-2025-11371 (CVSS: 7.5, EPSS: 66.0%, In KEV: Yes 11/4/2025):⁹ In the default installation and configuration of Gladinet CentreStack and TrioFox, there is an unauthenticated Local File Inclusion Flaw that allows unintended disclosure of system files. Exploitation of this vulnerability has been observed in the wild. This issue impacts Gladinet CentreStack and TrioFox: All versions prior to and including 16.7.10368.56560.
   
• CVE-2025-14611 (CVSS: 7.1, EPSS: 37.83%, In KEV: Yes): A vulnerability that uses hardcoded values for their implementation of the AES cryptoscheme. This degrades security for public exposed endpoints that may make use of it and may offer arbitrary local file inclusion when provided a specially crafted request without authentication. This opens the door for future exploitation and can be leveraged with previous vulnerabilities to gain a full system compromise.
   
• CVE-2025-30406 (CVSS: 9.8, EPSS: 86.8%, In KEV: Yes): A vulnerability caused due to CentreStack portal’s hardcoded machinekey use. Enables threat actors to serialize a payload server-side deserialization to achieve RCE.  

FINRA encourages member firms that identify data breaches or attempted data breaches to contact your Risk Monitoring Analyst and report them to: 

• FINRA using the Regulatory Tip Form found on FINRA.org;
• the SEC using the Tips, Complaints, and Referrals form or by calling (202) 551-4790; and
• the FBI using its Internet Crime Complaint Center or by calling 1-800-CALLFBI (1-800-225-5324). 

Additionally, both the FBI and the Cybersecurity & Infrastructure Security Agency (CISA) urge organizations to promptly report cyber incidents to a local FBI Field Office or the FBI Internet Crime Complaint Center (IC3) at IC3.gov, and to CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870). 

Questions related to this Alert or other cybersecurity-related topics can be emailed to the FINRA Cyber and Analytics Unit (CAU). 

Note: In citing any industry publication, FINRA is not adopting any author’s viewpoint or endorsing any commercial product or service. Any reference in cited articles to specific commercial products, processes or services does not constitute or imply their endorsement, recommendation or favoring by FINRA. This Alert does not create new legal or regulatory requirements or new interpretations of existing requirements, nor does it relieve firms of any existing obligations under federal securities laws, regulations, and FINRA rules. Member firms may consider the information in this Alert in developing new, or modifying existing, policies and procedures that are reasonably designed to achieve compliance with relevant regulatory obligations based on the member firm’s size and business model. Moreover, some information may not be relevant due to certain firms’ business models, sizes, or practices.

If you would like to add or change who receives this email, please update your firm’s Chief Information Security Officer (CISO), Chief Compliance Officer (CCO), Chief Risk Officer (CRO) and/or Regulatory Inquiries contact in FINRA Gateway.