Executive Summary
In December 2025, the Clop ransomware gang initiated a widespread extortion campaign by exploiting internet-facing Gladinet CentreStack file servers. Gladinet CentreStack, used by thousands of businesses worldwide, enables remote file sharing without VPNs. The attackers scanned for accessible servers, exploited a yet-undetermined (potentially zero-day or unpatched) vulnerability, and exfiltrated sensitive business data, leaving ransom notes for victims. The breaches escalated concerns after Clop’s history with major file transfer solutions, such as MOVEit and Oracle EBS, resulting in significant data leaks and operational disruption for affected organizations.
This attack underscores the persistent risk posed by sophisticated ransomware groups exploiting file transfer and sharing platforms. With attackers rapidly leveraging unknown or unpatched security flaws, enterprises must prioritize robust vulnerability management for all internet-exposed assets and monitor threat actor trends targeting remote-access file servers.
Why This Matters Now
Clop’s latest campaign exposes a critical risk to organizations using remote-access file sharing solutions. The urgency is heightened by the ongoing use of unknown or unpatched vulnerabilities, leaving hundreds of businesses susceptible to rapid compromise, data theft, and regulatory repercussions.
Attack Path Analysis
Clop ransomware actors exploited an unknown vulnerability in internet-exposed Gladinet CentreStack file servers to gain initial access. After breaching the environment, the attackers escalated privileges to gain administrative control over the file-sharing application. They then used this access to laterally move within the cloud and network infrastructure, identifying valuable data and additional accessible systems. Clop established command and control communication to remotely manage the compromised servers. Sensitive files were systematically exfiltrated to attacker-controlled infrastructure. Ultimately, Clop left ransom notes, threatening data exposure and extortion as the attack's impact.
Kill Chain Progression
Initial Compromise
Description
Clop exploited an internet-exposed Gladinet CentreStack server via an unpatched or zero-day vulnerability, gaining unauthorized remote access.
Related CVEs
CVE-2025-11371
CVSS 7.5An unauthenticated local file inclusion vulnerability in Gladinet CentreStack and Triofox allows attackers to retrieve configuration keys, leading to remote code execution.
Affected Products:
Gladinet CentreStack – < 16.12.10420.56791
Gladinet Triofox – < 16.12.10420.56791
Exploit Status:
exploited in the wildCVE-2025-30406
CVSS 9.8A deserialization vulnerability in Gladinet CentreStack and Triofox due to hardcoded machineKey use allows remote code execution.
Affected Products:
Gladinet CentreStack – <= 16.1.10296.56315
Gladinet Triofox – <= 16.1.10296.56315
Exploit Status:
exploited in the wildCVE-2025-14611
CVSS 9.8A cryptographic vulnerability in Gladinet CentreStack and Triofox allows unauthorized access to sensitive data and potential remote code execution.
Affected Products:
Gladinet CentreStack – < 16.12.10420.56791
Gladinet Triofox – < 16.12.10420.56791
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Valid Accounts
Exfiltration Over C2 Channel
Data Encrypted for Impact
Data Manipulation: Stored Data Manipulation
Data from Cloud Storage Object
System Information Discovery
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Install Security Patches and Updates
Control ID: 6.3.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management
Control ID: Article 10
CISA ZTMM 2.0 – Maintain Inventory of Internet-Exposed Assets
Control ID: Asset Management – Visibility and Inventory
NIS2 Directive – Vulnerability Handling and Disclosure
Control ID: Article 21(2)(d)
ISO/IEC 27001:2022 – Management of Technical Vulnerabilities
Control ID: A.8.8
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Clop ransomware targeting CentreStack file servers exposes financial institutions to data theft attacks through compromised secure file sharing systems and regulatory compliance violations.
Health Care / Life Sciences
Healthcare organizations using CentreStack for patient data sharing face HIPAA violations and encrypted traffic exposure risks from Clop's targeted ransomware campaigns.
Higher Education/Acadamia
Universities proven vulnerable as Harvard and University of Pennsylvania breached by Clop, demonstrating academic sector's high exposure to file server exploitation attacks.
Information Technology/IT
IT service providers using CentreStack face lateral movement risks and zero trust segmentation failures, requiring enhanced threat detection for client data protection.
Sources
- Clop ransomware targets Gladinet CentreStack in data theft attackshttps://www.bleepingcomputer.com/news/security/clop-ransomware-targets-gladinet-centrestack-servers-for-extortion/Verified
- Active Exploitation of Gladinet CentreStack and Triofox Products (CVE-2025-11371)https://www.aha.org/h-isac-white-reports/2025-10-10-h-isac-tlp-white-vulnerability-bulletin-active-exploitation-gladinet-centrestack-and-triofoxVerified
- Clop targets Gladinet CentreStack servers in large-scale extortion campaignhttps://securityaffairs.com/185875/cyber-crime/clop-targets-gladinet-centrestack-servers-in-large-scale-extortion-campaign.htmlVerified
- CentreStack RCE exploited as zero-day to breach file sharing servershttps://www.bleepingcomputer.com/news/security/centrestack-rce-exploited-as-zero-day-to-breach-file-sharing-servers/Verified
- RCE flaw in MSP-friendly file sharing platform exploited by attackers (CVE-2025-30406)https://www.helpnetsecurity.com/2025/04/09/rce-gladinet-centrestack-file-sharing-exploited-cve-2025-30406/Verified
- Gladinet, Active Exploitation of a Cryptographic Vulnerability in CentreStack and Triofoxhttps://nicolascoolman.eu/en/gladinet-correctif/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, internal east-west security controls, network visibility, encrypted traffic enforcement, and rigorous egress filtering would have significantly limited Clop's ability to exploit, move laterally, exfiltrate data, and impact operations within the environment.
Control: Cloud Firewall (ACF)
Mitigation: External exposure would be minimized by perimeter firewall policies.
Control: Zero Trust Segmentation
Mitigation: Ability to move between roles or access critical app components is constrained.
Control: East-West Traffic Security
Mitigation: Lateral movement attempts are detected and blocked between workloads.
Control: Threat Detection & Anomaly Response
Mitigation: C2 channels and anomalous traffic patterns are detected and alerted.
Control: Egress Security & Policy Enforcement
Mitigation: Unapproved outbound data transfers are blocked and/or logged.
Operations and impact are quickly identified and contained.
Impact at a Glance
Affected Business Functions
- File Sharing
- Remote Access
- Data Storage
Estimated downtime: 5 days
Estimated loss: $500,000
Unauthorized access to sensitive corporate data, including intellectual property and customer information, leading to potential data breaches and compliance violations.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce least-privilege and microsegmentation for all exposed file-sharing services to restrict attacker movement.
- • Deploy cloud-native firewall controls and reduce direct internet exposure of critical infrastructure.
- • Apply inline egress filtering to detect and block unauthorized outbound data flows from sensitive applications.
- • Leverage real-time threat detection and behavioral analytics to identify unusual traffic and prevent C2 or exfiltration.
- • Integrate comprehensive multicloud visibility to rapidly detect, respond, and recover from ransomware or extortion attempts.
