The notorious Clop ransomware collective is currently executing a large-scale data extortion operation against Gladinet CentreStack file servers globally. Security researchers have identified hundreds of internet-facing servers that are potentially vulnerable to this campaign, which follows the group's established pattern of targeting enterprise file transfer and storage solutions to gain access to high-value information.
Gladinet CentreStack serves as a critical bridge for many organizations, allowing them to transform traditional on-premises file storage and NAS devices into secure, cloud-accessible platforms. Because these systems are designed to manage and move corporate data while supporting remote work, they have become a primary target for sophisticated threat actors. Security intelligence firms have already tracked hundreds of unique IP addresses associated with CentreStack login portals that could be at risk of compromise.
The current wave of attacks appears to leverage specific security flaws, including a zero-day local file inclusion vulnerability tracked as CVE-2025-11371. By exploiting this weakness, attackers can access sensitive system files without any prior authentication. This initial breach allows threat actors to retrieve critical configuration details, which can then be used to facilitate remote code execution through the deserialization of application data.
GET 50% Discount for VPN/ANTIVIRUS SOFTWARE AT 911Cyber - CODE: bit5025
Experts have noted that this activity is consistent with Clop’s historical focus on file transfer platforms such as MOVEit, GoAnywhere, and SolarWinds Serv-U. In this instance, the vulnerability allows the group to bypass standard security measures and gain deep access to the target’s infrastructure. While the developers have acknowledged the issue, a formal patch has been preceded by urgent warnings to the user community regarding active exploitation in the wild.
In response to the escalating threat, researchers and the software vendor have issued immediate workarounds to help organizations mitigate the risk of attack. One primary recommendation involves disabling specific handlers within the application configuration files to block the exploitation path used by the ransomware group. Although implementing these changes may temporarily limit some platform functionality, it is considered a necessary step to prevent unauthorized data access.
The discovery of this campaign underscores the ongoing risk faced by enterprises that rely on internet-facing file management software. With multiple organizations already confirmed as targets, security teams are being urged to audit their environments for the presence of CentreStack or Triofox software and apply the recommended mitigations immediately. Failure to secure these entry points could result in significant data loss and the subsequent extortion demands typical of the Clop group’s operations.
Source: Clop Extorts Organisations Via CentreStack Server Attacks