Clop Ransomware Data Extortion Attacks on Gladinet CentreStack and Triofox Servers
The Clop ransomware group has initiated a widespread data extortion campaign targeting Internet-exposed Gladinet CentreStack and Triofox file servers. Attackers are exploiting multiple vulnerabilities, including CVE-2025-11371 (an unauthenticated local file inclusion flaw), CVE-2025-14611 (hardcoded cryptographic keys), and CVE-2025-12480 (a critical remote code execution vulnerability in Triofox). These vulnerabilities allow unauthorized access, file retrieval, and even remote code execution, enabling Clop to steal sensitive corporate data and leave ransom notes on compromised systems. Security researchers and incident responders have observed active exploitation across at least 200 unique IP addresses, with evidence that both zero-day and unpatched n-day vulnerabilities are being leveraged.
Gladinet CentreStack and Triofox are widely used by businesses for secure file storage and sharing, making the impact of these attacks potentially significant. The Clop group’s campaign follows their established pattern of targeting file transfer and sharing solutions, having previously compromised platforms such as MOVEit, GoAnywhere, and Oracle EBS. Security updates have been released by Gladinet to address some of the exploited flaws, but the ongoing attacks highlight the importance of timely patching and monitoring of Internet-facing file sharing infrastructure. Technical analysis by VulnCheck and Mandiant has provided detailed insights into the exploitation methods, emphasizing the complexity and sophistication of the attack chain.
Timeline
Dec 19, 2025
Researchers link CentreStack attacks to specific Gladinet vulnerabilities
Public reporting identified the CentreStack campaign as exploiting CVE-2025-11371, a local file inclusion flaw, along with either a hardcoded key issue described as CVE-2025-14611 or CVE-2025-30406. The flaws allowed retrieval of sensitive configuration data, remote code execution, and persistent unauthorized access.
Dec 18, 2025
Clop launches extortion campaign against Gladinet CentreStack servers
The Clop ransomware group began a data theft and extortion campaign targeting Internet-exposed Gladinet CentreStack servers. Researchers reported more than 200 potentially exposed servers and at least three confirmed victims, with attackers stealing data and publishing it on Clop's leak site.
Dec 18, 2025
Attackers exploit Gladinet Triofox zero-day CVE-2025-12480
Threat actor UNC6485 actively exploited CVE-2025-12480, a critical Gladinet Triofox remote code execution vulnerability caused by improper Host header validation. The attack chain enabled authentication bypass, admin account creation, and remote code execution, and may also have affected the related CentreStack product.
Apr 1, 2025
Gladinet begins releasing security updates for CentreStack
Gladinet released multiple security updates starting in April 2025 to address vulnerabilities later linked to the CentreStack/Triofox attacks. These updates were intended to remediate flaws exploited in the emerging campaign.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Malware
Organizations
Sources
Related Stories
Active Exploitation of Unpatched LFI Vulnerability in Gladinet CentreStack and TrioFox (CVE-2025-11371)
Attackers are actively exploiting a zero-day vulnerability, CVE-2025-11371, in Gladinet CentreStack and TrioFox file-sharing and remote access platforms. This vulnerability is an unauthenticated local file inclusion (LFI) flaw that allows threat actors to access sensitive system files, including the application’s Web.config file. By retrieving the machine key from this configuration file, attackers can leverage a previously patched vulnerability, CVE-2025-30406, to achieve remote code execution (RCE) through ViewState deserialization attacks. Huntress, a cybersecurity firm, first detected exploitation of this flaw on September 26-27, 2025, and has confirmed that at least three customers have been impacted so far. The vulnerability affects all versions of CentreStack and TrioFox up to and including 16.7.10368.56560, and there is currently no official patch available from Gladinet. Both self-hosted and cloud-hosted deployments of these platforms are at risk, as the flaw impacts default installations and configurations. The exploitation chain involves using the LFI to extract the machine key, which is then used to craft malicious ViewState payloads that bypass integrity checks and enable arbitrary code execution on the server. Notably, Huntress observed successful exploitation even on systems that had already patched CVE-2025-30406, indicating that the previous fix was insufficient to fully mitigate the risk. In response, Huntress and other security experts recommend disabling the "temp" handler within the UploadDownloadProxy Web.config file as an immediate mitigation, though this may impact some platform functionality. Gladinet has acknowledged the vulnerability and its active exploitation but has not yet released a patch, urging customers to implement the recommended mitigations. The affected products are widely used by managed service providers, small businesses, and enterprises for secure file access and sharing, increasing the potential impact of this vulnerability. Attackers exploiting this flaw can gain full control over affected servers, leading to data theft, lateral movement, or further compromise of organizational networks. Security researchers are withholding some technical details to prevent further exploitation while a patch is developed. Organizations using CentreStack or TrioFox should urgently review their configurations and apply the recommended mitigations to reduce exposure. The incident highlights the risks associated with chained vulnerabilities and the importance of defense-in-depth strategies. Ongoing monitoring and threat detection are advised until a permanent fix is available. The situation remains fluid, with active exploitation continuing and the vendor working on a security update.
1 months ago
Active Exploitation of Gladinet CentreStack and Triofox Cryptographic Flaw Enables Remote Code Execution
Attackers are actively exploiting a critical cryptographic vulnerability in Gladinet's CentreStack and Triofox products, which are used for secure remote file access and sharing. The flaw stems from the use of hard-coded cryptographic keys within the `GladCtrl64.dll` component, allowing threat actors to decrypt or forge access tickets and gain unauthorized access to sensitive files, including `web.config`. This access can be leveraged to obtain machine keys and achieve remote code execution via ViewState deserialization. Security researchers from Huntress have observed at least nine organizations targeted by these attacks, with exploitation occurring in the wild and Gladinet issuing advisories and updates to mitigate the risk. The vulnerability is rooted in a custom implementation of the AES algorithm, where static 100-byte strings are used to derive encryption keys and initialization vectors, making them identical across all installations. Attackers can craft malicious requests to the `/storage/filesvr.dn` endpoint, bypassing authentication and impersonating users. Gladinet has provided indicators of compromise (IoCs) and urged customers to update to the latest versions released on November 29. The attacks highlight the risks of insecure cryptographic practices and the importance of timely patching in enterprise environments.
1 months ago
Clop Exploits Oracle E-Business Suite Vulnerability for Data Extortion Attacks
Clop, a Russian-speaking cybercriminal group, has launched a widespread campaign exploiting a critical vulnerability in Oracle E-Business Suite (EBS), targeting hundreds of organizations globally. Allianz UK confirmed that it was among the victims, with the attackers compromising data belonging to 80 current and 670 former customers, though no impact was reported for its subsidiary Liverpool Victoria (LV). The attack vector was traced to Oracle EBS used in Allianz UK's personal lines business, and the company reported the incident to the Information Commissioner's Office. Other notable victims include the Washington Post and Envoy Air, with researchers estimating that dozens of organizations may have been affected since July, exploiting CVE-2025-61882. Clop's campaign is characterized by data exfiltration and extortion rather than traditional ransomware, with the group threatening to leak stolen data unless contacted by victims within a set deadline. Logitech was also named as a target, though the company has not confirmed a breach. The campaign's scale is significant, with at least 835 documented victims attributed to Clop since 2019, and the group has previously exploited vulnerabilities in other file-transfer platforms such as MOVEit and Fortra GoAnywhere. The Oracle EBS vulnerability was first detected in July, with Oracle releasing an initial patch in October that proved insufficient, necessitating a second critical update and leaving many organizations exposed for several days.
1 months ago