Clop Ransomware Group Exploits Gladinet CentreStack Servers in New Data Theft Campaign
The Clop ransomware group has initiated a new data extortion campaign targeting internet-facing Gladinet CentreStack file servers, marking a continuation of their strategy to exploit vulnerabilities in file transfer solutions. This campaign leverages multiple security weaknesses in CentreStack and its sister product, Triofox, enabling unauthorized access to sensitive corporate data.
Scope of the Attack
Recent port scan data indicates that over 200 unique IP addresses are operating systems with the CentreStack – Login HTTP title, rendering them potential targets for Clop’s activities. The attackers exploit either a zero-day or an unknown n-day vulnerability to compromise these systems. Incident responders have observed this new extortion campaign across multiple organizations, raising concerns about its widespread impact.
Clop’s Targeting Strategy
This campaign aligns with Clop’s established pattern of targeting file transfer servers. The group has previously compromised platforms such as Oracle E-Business Suite, Cleo FTP, MOVEit, CrushFTP, SolarWinds Serv-U, PaperCut, and GoAnywhere. The focus on CentreStack represents an expansion of their targeting strategy, exploiting systems commonly used by businesses for secure file storage and sharing.
Identified Vulnerabilities
Two critical vulnerabilities have been identified in the CentreStack and Triofox products:
1. CVE-2025-11371: An unauthenticated local file inclusion flaw that allows attackers to retrieve the machine key from the application’s Web.config file. By exploiting the vulnerable endpoint at `/storage/t.dn`, threat actors can access any file on the server using directory traversal techniques.
2. CVE-2025-14611: This vulnerability involves hardcoded cryptographic keys in the AES implementation, enabling attackers to decrypt access tickets and forge their own.
Technical Breakdown of the Attack Chain
The exploitation process begins when attackers target the CentreStack server through the vulnerable `/storage/t.dn` endpoint. By manipulating the query parameter with directory traversal sequences, they retrieve the Web.config file containing hardcoded machine keys. A sample request appears as follows:
“`
GET /storage/t.dn?s=..\\..\\..\\Program+Files+(x86)\\Gladinet+Cloud+Enterprise\\root\\Web.config&sid=1
“`
Once the machine key is obtained, attackers perform ViewState deserialization attacks to achieve remote code execution. The hardcoded cryptographic keys in CVE-2025-14611 further enable them to create persistent access tickets with timestamps set to the year 9999, effectively granting indefinite access to the compromised system. These techniques allow the Clop group to exfiltrate data without authentication, making detection and prevention challenging for affected organizations.
Recommendations for Organizations
Organizations running CentreStack or Triofox should take immediate action to mitigate these vulnerabilities:
– Update Software: Upgrade to version 16.12.10420.56791 to address the identified vulnerabilities.
– Rotate Machine Keys: Implement new machine keys to prevent unauthorized access.
– Monitor Logs: Review web server logs for suspicious GET requests containing vghpI7EToZUDIZDdprSubL3mTZ2, which represents the encrypted path to the Web.config file.
By promptly applying these measures, organizations can enhance their security posture and reduce the risk of data breaches associated with the Clop ransomware group’s activities.
