CL0P Ransomware Targets Gladinet CentreStack in New Campaign
The CL0P ransomware group has recently set its sights on Gladinet’s CentreStack file servers as part of its latest extortion effort. This alarming trend was highlighted in a LinkedIn announcement from the Curated Intelligence project, where incident response professionals initially flagged this growing threat.
Emerging Threats and Targeted Vulnerabilities
According to a recent advisory from Cyble, CL0P seems poised to launch a significant wave of attacks following earlier exploits of vulnerabilities in Oracle E-Business Suite. This earlier campaign reportedly affected over 100 organizations. Cyble’s findings suggest that the group is preparing its dark web data leak site (DLS) for incoming victims, which echoes previous strategies involving mass data leak disclosures. Currently, it appears there’s an organized effort to catalog and group victims based on their association with these Oracle vulnerabilities, indicating a coordinated response may be imminent for those targeted through Gladinet CentreStack. As of now, specific victim samples or timelines related to these latest attacks have not been disclosed.
Understanding the Vulnerabilities: Known and Unknown
There is still uncertainty about whether CL0P is exploiting known vulnerabilities or if it is leveraging new, undisclosed zero-day exploits. Curated Intelligence pointed out a report from Huntress, suggesting a potential link to recent findings. This report identified CVE-2025-11371, which pertains to a vulnerability allowing external parties access to certain files within Gladinet’s CentreStack and TrioFox systems. This issue was noted in the CISA’s Known Exploited Vulnerabilities (KEV) catalog earlier in November.
Furthermore, Huntress identified additional vulnerabilities that threat actors could exploit. These include CVE-2025-30406, related to a hard-coded cryptographic key vulnerability, and CVE-2025-14611, which pertains to similar hardcoded cryptographic weaknesses in both Gladinet CentreStack and TrioFox. Each of these vulnerabilities carries unique risks, with the former being cataloged in the KEV database since April and the latter added in December.
As of December 8, the recommended version of Gladinet’s CentreStack software is 16.12.10420.56791. Experts urge any potentially impacted users to promptly update to this latest iteration to bolster defenses. Also recommended is the rotation of the machineKey, which is essential for maintaining security integrity.
Historical Context: CL0P’s Targeting Patterns
CL0P has established a reputation for effectively exploiting file-sharing and transfer systems, making it one of the most prominent ransomware threats in recent years. Historically, their targets have included various services such as Oracle EBS, Cleo FTP, MOVEit, and others. A notable example of their impact occurred earlier this year when vulnerabilities in Cleo MFT resulted in a surge of ransomware incidents.
This group’s persistence alongside their ability to exploit vulnerabilities at scale has positioned them as one of the top five ransomware groups over their six years of activity. Curated Intelligence underscored that this new campaign marks another chapter in CL0P’s ongoing series of data extortion efforts, suggesting a predictable pattern that organizations must remain vigilant against.
Potential Impact and Recommendations
With recent port scanning data revealing over 200 distinct IP addresses running “CentreStack – Login,” these systems present a significant risk of being targeted by CL0P. This highlights the need for heightened security consciousness, especially in organizations utilizing Gladinet’s CentreStack services.
As businesses increasingly rely on digital file management systems, understanding the nature of these vulnerabilities and proactively addressing them is crucial. Organizations are encouraged to maintain updated software versions and implement rigorous security measures, including regular system reviews and updates, as well as staff training on recognizing potential threats.
By staying informed and prepared, businesses can better defend themselves against ransomware threats like those posed by the CL0P group.
