Clop Ransomware Targets Gladinet CentreStack in Data Theft Attacks
Summary:
Cl0P ransomware is conducting a new data-theft extortion campaign targeting internet-exposed Gladinet CentreStack file servers. CentreStack is widely used by organizations to provide secure file access to on-premises file servers through web browsers, mobile apps, and mapped drives without requiring a VPN. Incident Responders from the Curated Intelligence community report that Cl0P is actively scanning for vulnerable CentreStack instances and leaving ransom notes after breaching servers, although the exact vulnerability being exploited remains unknown. It is unclear whether Cl0P is relying on a previously patched flaw that organizations failed to remediate or a new zero-day. However, the campaign follows a pattern of opportunistic targeting of externally accessible enterprise file-sharing infrastructure.
Security Officer Comments:
CL0P has a history of focusing its efforts on managed file transfer and file-sharing servers as entry points to conduct large-scale data theft. In the last couple of years, the group has repeatedly exploited flaws, often zero-days, in products designed to centralize sensitive business data, including Accellion FTA, GoAnywhere MFT, Cleo, MOVEit Transfer, and, more recently, Oracle E-Business Suite. By compromising these systems, CL0P is able to exfiltrate data from many organizations at once without deploying ransomware.
Just last month, the IT-ISAC saw a surge in Cl0P activity, with the group listing 98 victims on its data leak following the exploitation of CVE-2025-61882, a zero-day in Oracle E-Business Suite. Although we have yet to see any new listings in December from CL0P, the emergence of this new campaign targeting vulnerable CentreStack instances signals a new wave of extortions.
Suggested Corrections:
Cybersecurity firm Huntress recently confirmed active exploitation of an insecure-cryptography vulnerability (CVE-2025-14611) in Gladinet CentreStack and Triofox. While there is no concrete evidence to attribute the exploitation activity to CL0P, organizations should ensure that their Gladinet CentreStack and Triofox instances are up to date and properly segmented to prevent potential intrusions.
On November 29, Gladinet released a new build number for CentreStack and Triofox before advising customers on November 30 of a new security update. The latest release on Gladinet's CentreStack website as of December 8 is version 16.12.10420.56791. We recommend that potentially impacted Gladinet customers update to this latest version immediately
Link(s):
https://www.bleepingcomputer.com/ne...s-gladinet-centrestack-servers-for-extortion/
https://www.huntress.com/blog/activ...k-triofox-insecure-cryptography-vulnerability
Cl0P ransomware is conducting a new data-theft extortion campaign targeting internet-exposed Gladinet CentreStack file servers. CentreStack is widely used by organizations to provide secure file access to on-premises file servers through web browsers, mobile apps, and mapped drives without requiring a VPN. Incident Responders from the Curated Intelligence community report that Cl0P is actively scanning for vulnerable CentreStack instances and leaving ransom notes after breaching servers, although the exact vulnerability being exploited remains unknown. It is unclear whether Cl0P is relying on a previously patched flaw that organizations failed to remediate or a new zero-day. However, the campaign follows a pattern of opportunistic targeting of externally accessible enterprise file-sharing infrastructure.
Security Officer Comments:
CL0P has a history of focusing its efforts on managed file transfer and file-sharing servers as entry points to conduct large-scale data theft. In the last couple of years, the group has repeatedly exploited flaws, often zero-days, in products designed to centralize sensitive business data, including Accellion FTA, GoAnywhere MFT, Cleo, MOVEit Transfer, and, more recently, Oracle E-Business Suite. By compromising these systems, CL0P is able to exfiltrate data from many organizations at once without deploying ransomware.
Just last month, the IT-ISAC saw a surge in Cl0P activity, with the group listing 98 victims on its data leak following the exploitation of CVE-2025-61882, a zero-day in Oracle E-Business Suite. Although we have yet to see any new listings in December from CL0P, the emergence of this new campaign targeting vulnerable CentreStack instances signals a new wave of extortions.
Suggested Corrections:
Cybersecurity firm Huntress recently confirmed active exploitation of an insecure-cryptography vulnerability (CVE-2025-14611) in Gladinet CentreStack and Triofox. While there is no concrete evidence to attribute the exploitation activity to CL0P, organizations should ensure that their Gladinet CentreStack and Triofox instances are up to date and properly segmented to prevent potential intrusions.
On November 29, Gladinet released a new build number for CentreStack and Triofox before advising customers on November 30 of a new security update. The latest release on Gladinet's CentreStack website as of December 8 is version 16.12.10420.56791. We recommend that potentially impacted Gladinet customers update to this latest version immediately
Link(s):
https://www.bleepingcomputer.com/ne...s-gladinet-centrestack-servers-for-extortion/
https://www.huntress.com/blog/activ...k-triofox-insecure-cryptography-vulnerability