Pierluigi Paganini
December 19, 2025
The Clop ransomware group is targeting Gladinet CentreStack file servers in a new large-scale extortion campaign aimed at stealing sensitive data from organizations worldwide.
Gladinet CentreStack is a software platform that allows organizations to turn their existing file servers, NAS devices, or cloud storage into secure, enterprise-grade private cloud storage. Essentially, it provides a bridge between traditional on-premises file storage and cloud-like access features.
Experts from threat intel firm Curated Intelligence reported a new CLOP extortion campaign targeting Internet-facing CentreStack file servers. Over 200 IPs with the “CentreStack – Login” HTTP title may be at risk from an unknown CVE (n-day or zero-day) exploited by the group.
“PSA: Incident Responders from the Curated Intelligence community have encountered a new CLOP extortion campaign targeting Internet-facing CentreStack file servers.” reported Curated Intelligence.
“From recent port scan data, there appears to be at least 200+ unique IPs running the “CentreStack – Login” HTTP Title, making them potential targets of CLOP who is exploiting an unknown CVE (n-day or zero-day) in these systems. This is yet another similar data extortion campaign by this adversary. CLOP is well-known for targeting file transfer servers such as Oracle EBS, Cleo FTP, MOVEit, CrushFTP, SolarWinds Serv-U, PaperCut, GoAnywhere, among others.”
In October, Huntress researchers reported that threat actors are exploiting the local File Inclusion (LFI) flaw CVE-2025-11371, a zero-day in Gladinet CentreStack and Triofox. A local user can exploit the issue to access system files without authentication.
Both solutions are used to manage corporate files securely while supporting remote work and collaboration.
Experts are aware of the existence of mitigations, but warn that the issue has yet to be patched.
“In earlier versions of CentreStack and Triofox vulnerable to CVE-2025-30406, a hardcoded machine key would allow a threat actor to perform remote code execution via a ViewState deserialization vulnerability.” reads the report published by Huntress. “After subsequent analysis, Huntress discovered exploitation of an unauthenticated local file inclusion vulnerability (CVE-2025-11371) that allowed a threat actor to retrieve the machine key from the application Web.config file to perform remote code execution via the aforementioned ViewState deserialization vulnerability.”
Gladinet and Huntress have alerted customers to a workaround for the actively exploited CVE-2025-11371 flaw. The cybersecurity firm reported that at least three customers have been targeted so far.
The company recommends disabling the temp handler in UploadDownloadProxy’s Web.config to block exploitation of the vulnerability, though some platform functionality will be affected.
“Removing the line highlighted above will mitigate the vulnerability present until such time as a patch can be applied.” concludes the report.
In early December, Barts Health NHS confirmed that Clop ransomware group stole data by exploiting zero-day CVE-2025-61882 in its Oracle E-Business Suite. The cybercrime group added the organization to its dark web data leak site and leaked the stolen information.
The Clop ransomware gang has been also exploiting the critical Oracle EBS zero-day CVE-2025-61882 since early August, stealing sensitive data from numerous organizations worldwide, including Envoy Air, Harvard University, Washington Post, Logitech, University of Pennsylvania, and University of Phoenix.
Clop (aka Cl0p) is a prolific Russian-speaking ransomware-as-a-service group specializing in big-game hunting and double-extortion.
The Clop ransomware group first appeared on the threat landscape around February 2019, emerging from the TA505 cybercrime group, a financially motivated gang active since at least 2014.
Like other Russia-based threat actors, Clop avoids targets in former Soviet countries and its malware can’t be activated on a computer that operates primarily in Russian.
Operators and affiliates identify high-value targets, steal sensitive data, encrypt networks, then publish stolen files on data-leak sites to pressure victims into paying. Clop exploits zero-days and vulnerable third-party software (e.g., MOVEit, GoAnywhere, Oracle EBS), leverages initial-access brokers and automation, and uses sophisticated evasion and lateral-movement techniques to maximize impact and monetization.
Clop’s victims include Shell, British Airways, Bombardier, University of Colorado, PwC, and the BBC.
The group conducted major campaigns including:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Gladinet CentreStack)
Security / December 19, 2025
