Listen to this Post

Introduction: A Familiar Threat Finds a New Door
The Clop ransomware group is once again expanding its reach, this time by targeting Gladinet CentreStack file servers in what appears to be a coordinated, large-scale data extortion campaign. Known for exploiting trusted enterprise software, Clop is now abusing weaknesses in systems designed to securely manage corporate files and remote collaboration. This development highlights a growing pattern in modern cybercrime, where attackers prioritize high-value infrastructure that sits at the crossroads of on-premises storage and cloud accessibility.
the Original Report
Gladinet CentreStack is widely used by organizations to transform traditional file servers, NAS devices, or cloud storage into private, enterprise-grade cloud environments. Its appeal lies in offering cloud-like access without fully abandoning on-premises infrastructure. However, this same exposure has made Internet-facing CentreStack servers an attractive target.
Threat intelligence researchers from Curated Intelligence have identified a new Clop extortion campaign aimed specifically at CentreStack systems exposed to the internet. Their findings suggest that more than 200 unique IP addresses displaying the “CentreStack – Login” HTTP title could be vulnerable. The attackers are believed to be exploiting an unknown vulnerability, possibly an n-day or a true zero-day, to gain access and steal sensitive data.
Curated Intelligence warned incident responders that this campaign mirrors Clop’s previous operations against file transfer and enterprise management platforms. Historically, the group has successfully targeted products such as MOVEit, GoAnywhere, Cleo FTP, CrushFTP, SolarWinds Serv-U, PaperCut, and Oracle E-Business Suite, often with devastating consequences for victims.
Adding to the concern, Huntress researchers revealed that threat actors are actively exploiting CVE-2025-11371, a local file inclusion vulnerability affecting Gladinet CentreStack and Triofox. This flaw allows local users to access sensitive system files without authentication. Combined with earlier weaknesses, including a hardcoded machine key vulnerability that enabled ViewState deserialization attacks, attackers could escalate their access to full remote code execution.
Although mitigations exist, no official patch has been released at the time of reporting. Gladinet and Huntress have advised customers to apply a temporary workaround by disabling a specific handler in the UploadDownloadProxy Web.config file, acknowledging that this may impact platform functionality. At least three organizations have already been confirmed as targets.
This CentreStack campaign fits into a broader pattern of Clop activity. In December, Barts Health NHS confirmed data theft following exploitation of an Oracle EBS zero-day vulnerability. Since August, the same Oracle flaw has been abused to compromise organizations such as Harvard University, the Washington Post, Logitech, and multiple airlines and universities.
Clop, also known as Cl0p, is a Russian-speaking ransomware-as-a-service operation that emerged in 2019 from the TA505 cybercrime ecosystem. The group specializes in double extortion, stealing data before encrypting systems and publishing stolen information on dark web leak sites. Its operators deliberately avoid targets in former Soviet states and design their malware to remain inactive on Russian-language systems. Over the years, Clop has built a reputation for precision attacks, advanced automation, and aggressive monetization strategies, with notable victims including Shell, British Airways, PwC, and the BBC.
What Undercode Say:
The CentreStack targeting campaign is less about a single vulnerability and more about a strategic shift in attacker priorities. Clop has consistently demonstrated that enterprise file management platforms represent an ideal attack surface. These systems aggregate sensitive data, maintain persistent connectivity, and are often exposed to the internet for remote work enablement. From an attacker’s perspective, compromising one such platform offers immediate access to high-value information without the need to laterally move through a network.
What stands out in this case is the repeated chaining of vulnerabilities. The exploitation path described by Huntress shows how even a “local” flaw can become catastrophic when combined with poor key management and legacy design decisions. Hardcoded machine keys and insecure ViewState handling are problems that should have been eliminated years ago, yet they continue to surface in modern enterprise software.
Another critical factor is patch latency. Clop thrives in the gap between disclosure, mitigation guidance, and actual patch deployment. Temporary workarounds, while necessary, are not sustainable defenses. Organizations that delay updates or rely on compensating controls effectively remain soft targets in prolonged extortion campaigns.
This incident also reinforces a broader industry lesson. Security models built around perimeter trust are failing in environments where file servers double as cloud gateways. Internet-facing administrative interfaces should be treated as high-risk assets, continuously monitored, and isolated wherever possible. The fact that hundreds of CentreStack instances were easily identifiable via simple HTTP titles suggests that asset exposure management is still an afterthought in many enterprises.
Finally, Clop’s persistence confirms that ransomware groups are evolving beyond opportunistic attacks. They are conducting product-specific research, tracking vendor response cycles, and reusing proven techniques across different platforms. This is no longer smash-and-grab cybercrime. It is industrialized data extortion, and software vendors, not just end users, are now on the front lines.
Fact Checker Results
✅ Clop is actively targeting Internet-facing Gladinet CentreStack servers using unknown or unpatched vulnerabilities.
✅ CVE-2025-11371 and related flaws can be chained to achieve remote code execution.
❌ There is currently no confirmed universal patch fully eliminating all exploited attack paths.
Prediction
📊 More enterprise file management platforms will become prime ransomware targets as remote work infrastructure remains exposed.
📊 Clop is likely to continue exploiting n-day vulnerabilities faster than organizations can patch them.
📊 Vendors will face increased pressure to redesign legacy security components, not just issue temporary mitigations.
▶️ Related Video (82% Match):
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: securityaffairs.com
Extra Source Hub (Possible Sources for article):
https://www.reddit.com/r/AskReddit
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




