The Clop ransomware group has launched a new data extortion campaign targeting Internet-facing Gladinet CentreStack file servers, marking another chapter in the threat actor’s pattern of exploiting file transfer solutions.
The campaign appears to leverage multiple security weaknesses in CentreStack and its sister product Triofox, including recently discovered vulnerabilities that allow attackers to gain unauthorized access to sensitive corporate data.
Recent port scan data suggests that over 200 unique IP addresses are running systems with the “CentreStack – Login” HTTP title, making them potential targets for the Clop group.
The attackers are exploiting either a zero-day or an unknown n-day vulnerability to compromise these systems.
Curated Intelligence analysts noted that incident responders from their community have encountered this new extortion campaign across multiple organizations, raising concerns about the widespread impact of these attacks.
This campaign follows Clop’s established playbook of targeting file transfer servers. The group has previously compromised platforms such as Oracle EBS, Cleo FTP, MOVEit, CrushFTP, SolarWinds Serv-U, PaperCut, and GoAnywhere.
The focus on CentreStack represents an expansion of their targeting strategy, exploiting systems commonly used by businesses for secure file storage and sharing.
Two critical vulnerabilities have been identified in the CentreStack and Triofox products. The first, CVE-2025-11371, is an unauthenticated local file inclusion flaw that allows attackers to retrieve the machine key from the application Web.config file.
Using directory traversal techniques, threat actors can access any file on the server by exploiting the vulnerable endpoint at /storage/t.dn.
The second vulnerability, CVE-2025-14611, involves hardcoded cryptographic keys in the AES implementation that enable attackers to decrypt access tickets and forge their own.
Technical Breakdown of the Attack Chain
The exploitation begins when attackers target the CentreStack server through the vulnerable /storage/t.dn endpoint.
By manipulating the query parameter with directory traversal sequences, they retrieve the Web.config file containing hardcoded machine keys. A sample request looks like this:-
GET /storage/t.dn s=..\\..\\..\\Program+Files+(x86)\\Gladinet+Cloud+Enterprise\\root\\Web.config&sid=1
Once the machine key is obtained, attackers perform ViewState deserialization attacks to achieve remote code execution.
The hardcoded cryptographic keys in CVE-2025-14611 further enable them to create persistent access tickets with timestamps set to the year 9999, effectively granting indefinite access to the compromised system.
These techniques allow the Clop group to exfiltrate data without authentication, making detection and prevention challenging for affected organizations.
Organizations running CentreStack or Triofox should immediately update to version 16.12.10420.56791 and rotate their machine keys.
Administrators should also review web server logs for suspicious GET requests containing “vghpI7EToZUDIZDdprSubL3mTZ2,” which represents the encrypted path to the Web.config file.
Follow us on Google News, LinkedIn, and X to Get MorWe Instant Updates, Set CSN as a Preferred Source in Google.
The post Clop Ransomware Group Exploiting Gladinet CentreStack Servers to Steal Data appeared first on Cyber Security News.
