Cl0p Ransomware’s Exfiltration Process Exposes RCE Vulnerability
gbhackersA newly disclosed vulnerability in the Python-based data-exfiltration utility used by the notorious Cl0p ransomware group has exposed the cybercrime operation itself to potential attack.
The flaw, cataloged as GCVE-1-2025-0002, was identified by Italian security researcher Lorenzo N and published by the Computer Incident Response Center Luxembourg (CIRCL) on July 1, 2025.
Vulnerability Details
The vulnerability, rated 8.9 (High) on the CVSS 4.0 scale, is a classic case of improper input validation (CWE-20).
| CVE ID | GCVE-1-2025-0002 |
| Vulnerability | Improper Input Validation |
| CWE | CWE-20 |
| Severity | 8.9 (High) |
The affected utility, widely deployed during Cl0p’s high-profile 2023–2024 MOVEit campaigns, constructs operating-system commands by directly concatenating attacker-supplied strings without any input sanitization.
Specifically, an authenticated endpoint on the Cl0p operators’ staging or collection host passes file or directory names received from compromised machines straight into a shell-escape sequence.
This design flaw creates a remote command execution (RCE) risk: if ...
Copyright of this story solely belongs to gbhackers . To see the full text click HERE