Call Us For A AreWeAFit Consultation (954) 507-3475
Giaspace | IT Services Fort Lauderdale & Miami
Get An Estimate

Published:  December, 26 2025

GiaSpace is aware of a security incident affecting a client environment that resulted from a critical zero-day vulnerability in third-party enterprise file sharing software. This vulnerability is part of a broader campaign that has impacted organizations across multiple sectors nationwide.

Upon identification of the incident, our team immediately conducted a forensic investigation and discovered evidence suggesting the software vendor was aware of active exploitation prior to providing adequate notification or remediation guidance to customers. We have preserved all relevant logs, communications, and evidence, and have shared our findings with the affected client’s legal counsel.

GiaSpace has proactively audited all client environments and confirmed this vulnerability was isolated to a single deployment. No other GiaSpace-managed clients were affected.

We continue to monitor threat intelligence related to this campaign and have implemented additional detection measures across all managed environments. We are also cooperating with industry security researchers who are tracking this ongoing threat. GiaSpace remains committed to transparency and will continue to advocate for accountability from software vendors whose products put our clients at risk.

Due to the criminal nature of the attack and for security reasons, GiaSpace cannot publicly share technical details of the attack, the restoration details nor customer-specific information.

Robert Giannini

CEO, GiaSpace

 

Update — February 14, 2026

Since our initial disclosure in December 2025, the affected client has completed all required breach notifications, including filings with relevant state Attorneys General and applicable federal reporting obligations. GiaSpace has also been contacted by the FBI as part of their ongoing investigation into this campaign. We are fully cooperating with federal law enforcement.

We are now able to share additional technical details about this incident.

What Happened

The attack exploited critical zero-day vulnerabilities in Gladinet CentreStack, an enterprise file-sharing platform. GiaSpace hosted a single CentreStack instance in our datacenter on behalf of one client. This was the only CentreStack deployment in our entire environment, no other GiaSpace clients used this product.

Throughout 2025, Gladinet CentreStack was the subject of multiple critical security vulnerabilities. In April 2025, CISA added CVE-2025-30406 (CVSS 9.0) to its Known Exploited Vulnerabilities catalog, a deserialization flaw caused by a hardcoded cryptographic key embedded in CentreStack’s source code that was identical across every installation worldwide. GiaSpace applied the vendor’s patch and followed all remediation guidance as it was released.

In October 2025, our security monitoring partner Huntress discovered a second zero-day vulnerability (CVE-2025-11371), an unauthenticated local file inclusion flaw that allowed attackers to retrieve the machineKey from the application configuration file, effectively re-enabling exploitation even on patched systems. Huntress notified us directly. We immediately applied the recommended mitigation. At the time, Gladinet had not released a patch for this second vulnerability.

On December 6, 2025, threat actors, operating behind Cloudflare infrastructure to obscure their origin, exploited the CentreStack instance and gained unauthorized access. At the time of the attack, GiaSpace had applied every available patch and believed the system was fully remediated based on Gladinet’s published guidance. On December 8, Gladinet released yet another patch, two days after the breach had already occurred.

On December 23, 2025, GiaSpace and the affected client received extortion emails from the Cl0p ransomware group. GiaSpace immediately entered full containment mode: we removed CentreStack from the internet, initiated our incident response protocol, and brought in our security partners, Huntress, Blumira, Threatlocker, and ConnectSecure, to conduct a comprehensive investigation.

Scope of the Campaign

This was not an isolated incident targeting GiaSpace. The Cl0p ransomware group, a prolific threat actor known for targeting file-sharing platforms at scale, conducted a large-scale extortion campaign against internet-facing CentreStack servers worldwide.

  • CISA added CVE-2025-30406 to its Known Exploited Vulnerabilities catalog in April 2025.
  • Huntress confirmed at least 200 unique IP addresses running vulnerable CentreStack instances were potential targets.
  • Cl0p’s previous campaigns exploited MOVEit, Cleo, GoAnywhere, and SolarWinds Serv-U, collectively impacting thousands of organizations worldwide.
  • The attack traffic was routed through Cloudflare infrastructure, obscuring the threat actor’s origin and complicating attribution.

What Was Affected

The compromise was strictly limited to a single, internet-facing Gladinet CentreStack instance that GiaSpace hosted on behalf of one client. This was the only CentreStack deployment in our environment. No other GiaSpace clients used CentreStack.

No other systems in our datacenter were accessed or affected. There was no lateral movement beyond the CentreStack web application. The exploitation was confined entirely to the CentreStack application layer, GiaSpace’s core infrastructure, managed services platform, monitoring systems, and all other client environments remained fully secure and uncompromised throughout.

What We Did

Upon receiving the Cl0p extortion emails on December 23, GiaSpace immediately:

  • Removed CentreStack from the internet and isolated the affected instance
  • Initiated a full incident response, bringing in Huntress (EDR/MDR), Blumira (SIEM/event correlation), Threatlocker, and ConnectSecure for comprehensive forensic investigation
  • Preserved all evidence, logs, and communications
  • Notified the affected client and their legal counsel
  • Performed a comprehensive audit of all managed environments to confirm no other systems were impacted

During our forensic investigation, we discovered that Gladinet had been removing previous patch revision notes from their support documentation and replacing them with newer versions, without maintaining a transparent changelog. GiaSpace had downloaded and applied prior patches and had browser history confirming the original patch documentation, which no longer matched what Gladinet was publishing. This practice made it significantly more difficult for MSPs and IT administrators to accurately track which vulnerabilities had been addressed and which remained open, and contributed directly to our belief that the system was fully patched at the time of the December 6 breach.

What We’ve Changed

This incident reinforced a principle we already operated by: no vendor should be trusted implicitly. We have since:

  • Removed Gladinet CentreStack from our offerings entirely and migrated to Egnyte, an enterprise file-sharing platform with a proven security architecture
  • Implemented enhanced supply chain risk assessments for all third-party software deployed in client environments, with particular scrutiny on internet-facing applications
  • Established stricter criteria for hosting third-party platforms that accept inbound internet connections, including mandatory VPN/IP-restriction requirements
  • Expanded monitoring coverage through Huntress and Blumira across all managed environments

Our Position on Vendor Accountability

GiaSpace applied every patch and followed every remediation step that Gladinet published throughout 2025. Despite this, our client was still compromised because Gladinet shipped a product with hardcoded cryptographic keys, failed to fully resolve the underlying vulnerability across multiple patch cycles, did not provide adequate or timely notification to clients when active exploitation campaigns were underway, and removed prior patch documentation from their support resources, making it impossible for administrators to maintain an accurate understanding of their exposure.

We believe software vendors bear significant responsibility for the downstream impact when their products contain fundamental security design flaws of this nature. We have shared our complete findings and timeline with federal law enforcement and will continue to advocate for stronger vendor accountability standards in the managed services industry.

If you have questions about this incident, please contact Robert Giannini directly at (352) 309-2208 or Helpdesk@GiaSpace.com.

Robert Giannini

CEO, GiaSpace

Proven IT Results, Verified by Reviews