The notorious Clop ransomware group has initiated a new data extortion campaign, specifically targeting Internet-facing Gladinet CentreStack file servers. This latest move signifies a continuation of the threat actor’s established pattern of exploiting widely used file transfer solutions to compromise organizations and steal sensitive data.
Recent intelligence indicates that over 200 distinct IP addresses, identified by the presence of “CentreStack – Login” in their HTTP titles, are now potentially vulnerable to Clop’s attacks. The group is believed to be leveraging a zero-day or an unknown n-day vulnerability within CentreStack and its sister product, Triofox, to gain unauthorized access.
Clop Ransomware Group Exploiting Gladinet CentreStack Servers
Curated Intelligence analysts have observed multiple organizations falling victim to this new extortion campaign, raising significant concerns about the widespread impact and the potential for extensive data breaches. This tactic is consistent with Clop’s modus operandi; the group has a history of successfully targeting and compromising various file transfer platforms, including Oracle EBS, Cleo FTP, MOVEit, CrushFTP, SolarWinds Serv-U, PaperCut, and GoAnywhere. The current focus on Gladinet CentreStack represents an expansion of their targeting strategy, affecting systems commonly employed by businesses for secure file storage and sharing.
Technical Breakdown of the Attack Chain
Two critical vulnerabilities have been identified within the CentreStack and Triofox products that facilitate Clop’s attacks. The first, identified as CVE-2025-11371, is an unauthenticated local file inclusion flaw. This vulnerability allows attackers to retrieve the application’s machine key from the Web.config file. By employing directory traversal techniques, threat actors can exploit the vulnerable endpoint located at /storage/t.dn to access any file residing on the server.
The second vulnerability, CVE-2025-14611, involves hardcoded cryptographic keys within the product’s AES implementation. This flaw enables attackers to decrypt existing access tickets and subsequently forge their own, granting them unauthorized privileges.
The exploitation process typically begins with attackers targeting the CentreStack server via the vulnerable /storage/t.dn endpoint. Through manipulation of a query parameter with directory traversal sequences, such as ‘……Program Files (x86)Gladinet Cloud EnterpriserootWeb.config’, they successfully retrieve the Web.config file containing the hardcoded machine keys.
Once the machine key is in the attackers’ possession, they can proceed with ViewState deserialization attacks, which ultimately lead to remote code execution on the compromised server. Furthermore, the hardcoded cryptographic keys exacerbated by CVE-2025-14611 empower the attackers to craft persistent access tickets. These tickets can be assigned timestamps far into the future, such as the year 9999, effectively granting them indefinite access to the system without further authentication.
These sophisticated techniques allow the Clop group to exfiltrate data covertly, making detection and prevention exceptionally challenging for affected organizations. The ability to bypass authentication measures contributes significantly to the success and widespread nature of these attacks.
Organizations utilizing CentreStack or Triofox are strongly advised to immediately update their systems to version 16.12.10420.56791. Additionally, it is crucial to rotate all existing machine keys to mitigate the risk of further compromise. Administrators should also diligently review their web server logs for any suspicious GET requests that contain the string “vghpI7EToZUDIZDdprSubL3mTZ2,” as this string represents the encrypted path used to access the Web.config file and may indicate an ongoing or attempted exploit.
The ongoing exploitation of file transfer solutions by the Clop group underscores the persistent threat posed by supply chain attacks. As new vulnerabilities are discovered and exploited, organizations must remain vigilant in their security practices, prioritizing timely patching and robust logging and monitoring to detect and respond to emerging threats effectively.