# Clop's Exploited Vulnerabilities
> [!NOTE]
> This is the list of vulnerabilities that have been observed during intrusions that lead to Clop ransomware deployment or data exfiltration and leaks published to Clop's Tor Site

### `Accellion`
| Product | CVE(s) | Ransomware Group(s) | Source(s) |
|---|---|---|---|
| Accellion File Transfer Appliance | CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104 | Clop | [mandiant.com](https://www.mandiant.com/resources/blog/accellion-fta-exploited-for-data-theft-and-extortion) |

### `CentreStack`
| Product | CVE(s) | Ransomware Group(s) | Source(s) |
|---|---|---|---|
| Gladinet CentreStack | CVE-2025-11371 | Clop | [securityaffairs.com](https://securityaffairs.com/185875/cyber-crime/clop-targets-gladinet-centrestack-servers-in-large-scale-extortion-campaign.html) |

### `Cleo`
| Product | CVE(s) | Ransomware Group(s) | Source(s) |
|---|---|---|---|
| Cleo VLTrader, Harmony, LexiCom | CVE-2024-55956 | Clop | [huntress.com](https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild) |

### `Fortra`
| Product | CVE(s) | Ransomware Group(s) | Source(s) |
|---|---|---|---|
| GoAnywhere Managed File Transfer | CVE-2023-0669 | Clop | [censys.io](https://censys.io/rce-zero-day-in-goanywhere-mft-cve-2023-0669/) |

### `Oracle`
| Product | CVE(s) | Ransomware Group(s) | Source(s) |
|---|---|---|---|
| E-Business | CVE-2025-61882 | Clop | [crowdstrike.com](https://www.crowdstrike.com/en-us/blog/crowdstrike-identifies-campaign-targeting-oracle-e-business-suite-zero-day-CVE-2025-61882/) |


### `Progress Software`
| Product | CVE(s) | Ransomware Group(s) | Source(s) |
|---|---|---|---|
| MOVEit | CVE-2023-34362 | Clop | [cisa.gov](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a) |

### `PaperCut`
| Product | CVE(s) | Ransomware Group(s) | Source(s) |
|---|---|---|---|
| PaperCut Application Server | CVE-2023-27350 & CVE-2023-27351 | Clop | [twitter.com/MsftSecIntel](https://twitter.com/MsftSecIntel/status/1651346653901725696) |

### `SolarWinds`
| Product | CVE(s) | Ransomware Group(s) | Source(s) |
|---|---|---|---|
| SolarWinds Serv-U FTP | CVE-2021-35211 | Clop | [research.nccgroup.com](https://research.nccgroup.com/2021/11/08/ta505-exploits-solarwinds-serv-u-vulnerability-cve-2021-35211-for-initial-access/) |



---

#### Sources
| Date Published | Report |
|---|---|
| 6 October 2025 | https://www.crowdstrike.com/en-us/blog/crowdstrike-identifies-campaign-targeting-oracle-e-business-suite-zero-day-CVE-2025-61882/ |
| 9 December 2024 | https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild |
| 7 June 2023 | https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a |
| 26 April 2023 | https://twitter.com/MsftSecIntel/status/1651346653901725696 |
| 16 Feb 2023 | https://censys.io/rce-zero-day-in-goanywhere-mft-cve-2023-0669/ |
| 8 November 2021 | https://research.nccgroup.com/2021/11/08/ta505-exploits-solarwinds-serv-u-vulnerability-cve-2021-35211-for-initial-access/ | 
| 22 Feb 2021 | https://www.mandiant.com/resources/blog/accellion-fta-exploited-for-data-theft-and-extortion |