The Clop ransomware group has initiated a widespread data extortion campaign targeting Internet-exposed Gladinet CentreStack and Triofox file servers. Attackers are exploiting multiple vulnerabilities, including CVE-2025-11371 (an unauthenticated local file inclusion flaw), CVE-2025-14611 (hardcoded cryptographic keys), and CVE-2025-12480 (a critical remote code execution vulnerability in Triofox). These vulnerabilities allow unauthorized access, file retrieval, and even remote code execution, enabling Clop to steal sensitive corporate data and leave ransom notes on compromised systems. Security researchers and incident responders have observed active exploitation across at least 200 unique IP addresses, with evidence that both zero-day and unpatched n-day vulnerabilities are being leveraged.
Gladinet CentreStack and Triofox are widely used by businesses for secure file storage and sharing, making the impact of these attacks potentially significant. The Clop group’s campaign follows their established pattern of targeting file transfer and sharing solutions, having previously compromised platforms such as MOVEit, GoAnywhere, and Oracle EBS. Security updates have been released by Gladinet to address some of the exploited flaws, but the ongoing attacks highlight the importance of timely patching and monitoring of Internet-facing file sharing infrastructure. Technical analysis by VulnCheck and Mandiant has provided detailed insights into the exploitation methods, emphasizing the complexity and sophistication of the attack chain.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
Public reporting identified the CentreStack campaign as exploiting CVE-2025-11371, a local file inclusion flaw, along with either a hardcoded key issue described as CVE-2025-14611 or CVE-2025-30406. The flaws allowed retrieval of sensitive configuration data, remote code execution, and persistent unauthorized access.
The Clop ransomware group began a data theft and extortion campaign targeting Internet-exposed Gladinet CentreStack servers. Researchers reported more than 200 potentially exposed servers and at least three confirmed victims, with attackers stealing data and publishing it on Clop's leak site.
Threat actor UNC6485 actively exploited CVE-2025-12480, a critical Gladinet Triofox remote code execution vulnerability caused by improper Host header validation. The attack chain enabled authentication bypass, admin account creation, and remote code execution, and may also have affected the related CentreStack product.
Gladinet released multiple security updates starting in April 2025 to address vulnerabilities later linked to the CentreStack/Triofox attacks. These updates were intended to remediate flaws exploited in the emerging campaign.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
cybersecuritynews.com
Open sourcesecurityaffairs.com
Open sourcebleepingcomputer.com
Open sourcevulncheck.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.