Close Menu
Cybercrime and Ransomware

Clop Ransomware Exploits Gladinet Servers to Steal Data

Staff WriterBy No Comments4 Mins Read5 Views

Summary Points

  1. The Clop ransomware group has launched a new extortion campaign targeting Internet-facing Gladinet CentreStack file servers, exploiting multiple vulnerabilities including zero-days to access sensitive data.
  2. Over 200 IP addresses with CentreStack login pages have been identified as potential targets, with attackers leveraging flaws such as CVE-2025-11371 and CVE-2025-14611 to gain unauthorized access and persistently exfiltrate data.
  3. The attack chain involves exploiting directory traversal and Web.config file retrieval, followed by deserialization attacks that enable remote code execution and indefinite access using hardcoded cryptographic keys.
  4. Organizations are advised to update to the latest software version (16.12.10420.56791), rotate machine keys, and monitor logs for suspicious requests to defend against this evolving threat.

The Issue

The Clop ransomware group has launched a new data extortion campaign targeting Internet-facing Gladinet CentreStack file servers. This attack exploits vulnerabilities in CentreStack and its related product, Triofox, including recently discovered flaws that allow unauthorized access to sensitive data. Over 200 IP addresses have been identified scanning for vulnerable servers, suggesting widespread potential targets. The attackers might be using either zero-day or unknown vulnerabilities to break into these systems, with incident response teams across multiple organizations reporting similar breaches. This campaign marks an expansion of Clop’s usual focus on file transfer platforms, now targeting systems vital for secure file sharing in businesses. Notably, two critical vulnerabilities, CVE-2025-11371 and CVE-2025-14611, enable attackers to access Web.config files and forge persistent access tickets, respectively. The attack chain involves retrieving the Web.config via directory traversal, then using deserialization and cryptographic flaws to execute code remotely and maintain indefinite access. As a precaution, organizations are advised to update their software immediately and review server logs for suspicious activity. The incident is being reported by cybersecurity analysts tracking these emerging threats, emphasizing the urgency of patching vulnerabilities to prevent further exploitation.

What’s at Stake?

The Clop Ransomware Group exploiting Gladinet CentreStack servers to steal data presents a serious threat that can happen to any business. When attackers access vulnerable servers, they can breach sensitive information, leading to data theft and financial loss. Consequently, operations might grind to a halt, causing productivity to drop sharply. Moreover, compromised data can damage your company’s reputation, eroding customer trust. As a result, your business faces not only immediate financial setbacks but also long-term reputational harm. Therefore, safeguarding servers and maintaining strong security measures are crucial to prevent such devastating attacks from affecting your business.

Possible Remediation Steps

In cybersecurity, swift action is crucial to limit damage and prevent the spread of threats like the Clop Ransomware Group exploiting Gladinet CentreStack servers. Prompt remediation not only curtails data breaches but also reinforces an organization’s overall security posture.

Containment Measures
Isolate affected servers and disconnect them from the network to prevent further infection or data exfiltration.

Vulnerability Management
Identify and patch known vulnerabilities in Gladinet CentreStack servers to eliminate entry points for attackers.

Incident Response Planning
Activate the incident response plan to assess the scope of intrusion, contain impacted systems, and guide recovery efforts.

Enhanced Monitoring
Increase logging and monitoring on servers and network traffic to detect malicious activity early and understand attack patterns.

User Awareness
Educate staff on phishing and suspicious activity signs to prevent initial compromise vectors.

Access Controls
Restrict administrative privileges and enforce least-privilege policies to minimize attacker movement within networks.

Data Backup
Ensure secure and recent backups are available to restore data without succumbing to ransom demands.

Vendor Notification
Coordinate with software vendors or security advisories to obtain patches, updates, and guidance on securing the affected systems.

By executing these steps promptly, organizations can mitigate ransomware impacts, preserve data integrity, and reduce operational disruptions.

Continue Your Cyber Journey

Explore career growth and education via Careers & Learning, or dive into Compliance essentials.

Understand foundational security frameworks via NIST CSF on Wikipedia.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1cyberattack-v1-multisource

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.