analyst @ nohacky :~/briefings $
cat / briefings / cleo-mft-supply-chain-attack.html
analyst@nohacky:~/briefings/cleo-mft-supply-chain-attack.html
reading mode 10 min read
category vuln
published March 2026
read_time 10 min

Cleo MFT: The Supply Chain Attack That Followed a Failed Patch

In late 2024, the Cl0p ransomware group found a vulnerability in Cleo's managed file transfer software, watched Cleo patch it, and then exploited a second related flaw that the patch didn't address. What followed was a mass exploitation campaign against supply chain infrastructure that helped fuel a 23% increase in overall ransomware activity in Q1 2025, and added another MFT platform to Cl0p's growing collection of supply chain entry points.

Cleo produces a widely deployed suite of managed file transfer (MFT) products — Harmony, VLTrader, and LexiCom — used by more than 4,000 organizations, primarily mid-sized businesses, to move sensitive data between systems, partners, and customers. MFT platforms sit at an attractive intersection for ransomware operators: they have trusted access to large volumes of sensitive business data, they are often internet-facing, and a single compromise can yield material from multiple organizations' supply chain relationships. Cl0p identified this same dynamic in MOVEit Transfer in 2023 and GoAnywhere MFT before that. Cleo became the next chapter of the same playbook.

The Vulnerability Timeline: Two CVEs and One Incomplete Fix

On October 30, 2024, Cleo published a security advisory for CVE-2024-50623 — a vulnerability in Harmony, VLTrader, and LexiCom that allowed unrestricted file uploads and downloads via the /Synchronization endpoint, enabling remote code execution. The advisory recommended upgrading to version 5.8.0.21, which Cleo said addressed the issue.

Within days of the patch's release, organizations that had applied it were still reporting successful compromises. Cl0p had either developed an exploit before the patch shipped or had found a way around the fix while Cleo believed the issue was resolved. Active exploitation began on December 3, 2024, and within four days at least ten Cleo customer environments had been breached — organizations in trucking, shipping, and food industries among them.

Huntress researchers, monitoring their customer environments, first reported the continued exploitation publicly on December 9. Rapid7 examined the situation and assessed that the October patch had added file path validation to address the root cause of CVE-2024-50623, but could not confirm with high confidence that version 5.8.0.21 had fully remediated the issue. More significantly, Rapid7 concluded that a second, separate vulnerability was in play — not a bypass of the first, but a distinct flaw in the same area of the codebase.

On December 10, Cleo issued an updated advisory and simultaneously released version 5.8.0.24, which contained a new security patch for what was later designated CVE-2024-55956 on December 13. The new CVE was an unauthenticated file write vulnerability in the /Synchronization endpoint that specifically targeted the default configuration of the Autorun directory — a feature that automatically executes files placed in a specified folder, intended to automate installation scripts but repurposed here as an arbitrary command execution primitive.

note

CVE-2024-50623 allows unauthenticated file reads and writes via the /Synchronization endpoint, rooted in insufficient input validation and improper path sanitization. CVE-2024-55956 allows unauthenticated execution of arbitrary Bash or PowerShell commands by writing files into the default Autorun directory, which Cleo processes automatically. Both vulnerabilities target the same endpoint and affect the same three products. Both are listed in CISA's Known Exploited Vulnerabilities catalog. Version 5.8.0.24 addresses both. Version 5.8.0.21 addresses only CVE-2024-50623.

Rapid7 specifically noted that CVE-2024-55956 is not a patch bypass — it is a distinct vulnerability with a different root cause and different exploitation strategy, despite sharing the same endpoint and affected products. The two flaws happening to co-exist in the same area of the codebase created significant confusion for defenders trying to understand whether patching the October fix was sufficient. It was not. Organizations that upgraded to 5.8.0.21 in October were protected against CVE-2024-50623 but remained fully exposed to CVE-2024-55956 until 5.8.0.24 was applied.

The Attack Chain: From File Upload to Java Backdoor

The exploitation sequence documented across the December 2024 campaign is consistent across affected environments and follows a structured chain from initial access through persistent backdoor deployment.

Stage 1 — Unauthenticated file write. The attacker exploits either CVE-2024-50623 or CVE-2024-55956 to place a malicious file on the server without authentication. No credentials, no prior access, no social engineering required. The /Synchronization endpoint's insufficient validation allows the write to complete.

Stage 2 — Autorun execution. The malicious file is placed in or causes a file to appear in Cleo's Autorun directory. Cleo's software processes this directory automatically, executing whatever is found there. The first payload executed is typically a ZIP archive containing an XML configuration file, which triggers further execution steps.

Stage 3 — PowerShell stager. The initial execution chain resolves to an obfuscated PowerShell stager that performs initial reconnaissance, collects basic host and network information, and establishes communication with attacker-controlled command-and-control infrastructure. The stager is designed to be a minimal-footprint first stage — gathering enough context to decide on next steps while avoiding noisy indicators that might trigger early detection.

Stage 4 — Java loader and Cleopatra/Malichus backdoor. The PowerShell stager downloads a Java loader, which in turn deploys the primary post-exploitation payload. Two research teams analyzing the same malware family gave it different names — Arctic Wolf designated it Cleopatra, Huntress and Rapid7 designated it Malichus. It is the same Java-based backdoor. The payload supports cross-platform operation across Windows and Linux, uses in-memory file storage to reduce on-disk artifacts, and is specifically designed to interact with data stored within Cleo MFT software — including access to the conf/Options.xml configuration file specific to Cleo's Versalex system, which contains credentials, connection configurations, and operational parameters.

warning

Although the campaign used multiple IP addresses as C2 destinations, Arctic Wolf's analysis confirmed that all vulnerability scanning originated from just two IP addresses: 38.180.51.138 and one additional address. This concentration in scanning infrastructure, despite diverse C2 endpoints, suggests a coordinated, centrally-managed campaign rather than distributed affiliate activity — consistent with Cl0p's operational model of executing mass exploitation campaigns from controlled infrastructure.

Stage 5 — Post-exploitation and data theft. With the backdoor established, operators conducted Active Directory reconnaissance, enumerated network connections to identify pivoting opportunities, and executed commands to exfiltrate files. In more advanced cases, attackers deleted artifacts to hamper forensic analysis, suggesting awareness of ongoing incident response activity. The primary objective was data exfiltration to support Cl0p's double-extortion model: steal the data, then threaten to publish it unless ransom is paid.

Attribution: Cl0p Owns the Campaign

Attribution in the initial days of the campaign was contested. Some researchers, including security analyst Kevin Beaumont, pointed to the Termite ransomware group — which had claimed a supply chain attack on Blue Yonder (disrupting Starbucks' employee scheduling and payroll operations) in the weeks before Cleo exploitation began. Termite did claim initial victims from Cleo compromises on its leak site.

Cl0p subsequently made unambiguous statements to BleepingComputer and posted on its own leak site claiming responsibility for the Cleo campaign. The group has the most obvious historical precedent for this class of attack: Cl0p's exploitation of CVE-2023-34362 in MOVEit Transfer in May 2023 — a SQL injection zero-day that resulted in data theft from an estimated 2,000 organizations — was the defining mass MFT exploitation event of recent years. The Accellion File Transfer Appliance campaign in December 2020 and the GoAnywhere MFT campaign in February 2023 also carry Cl0p attribution. The pattern of identifying and weaponizing zero-day vulnerabilities in MFT platforms for data theft extortion is Cl0p's established operational signature.

In December 2024, Cl0p added the obfuscated names of 66 alleged victim organizations to its leak site. On January 14 and 15, 2025, those names were unveiled with a deadline of January 18 to initiate contact before data would be published. Three organizations had data released between January 17 and 18, 2025. WK Kellogg disclosed a breach in early 2025 attributable to the Cleo campaign timing and its appearance on Cl0p's leak site, with at least one individual's name and Social Security number exposed. Cl0p's alleged victims from the Cleo campaign were disproportionately concentrated in supply chain and logistics sectors — approximately 20% of named organizations, compared to roughly 2.8% across the broader ransomware landscape. North American organizations accounted for approximately 80% of Cl0p's named victims, consistent with Cleo's customer base concentration.

Supply Chain Impact: Why MFT Is Such a Valuable Target

Understanding why Cl0p returns to MFT platforms repeatedly requires understanding what MFT software does and where it sits in enterprise architecture. Managed file transfer platforms are the conduit through which organizations exchange sensitive operational data with trading partners, customers, suppliers, and internal systems. A manufacturing company uses Cleo to send purchase orders, receive invoices, exchange shipping manifests, and synchronize inventory data with dozens or hundreds of partners simultaneously. A healthcare organization uses it to transmit patient records, billing data, and insurance claims. A retailer uses it to coordinate order fulfillment, supply chain logistics, and financial transactions.

This creates several characteristics that make MFT platforms exceptionally valuable as ransomware entry points. First, the data flowing through them is dense with sensitive material: financial records, personal information, intellectual property, and operational data that organizations have strong incentives to keep private. Second, the MFT server typically has trusted, authenticated relationships with many downstream partner systems — compromising it can provide access or credential material that enables lateral movement into those partners' environments. Third, MFT servers are almost always internet-facing to enable the partner connectivity they exist to support, which means exploitation of a vulnerability requires no prior foothold inside the network perimeter.

critical

Cl0p's Cleo campaign fueled a 23% increase in overall ransomware activity between Q4 2024 and Q1 2025, and Q1 2025 set a record for ransomware victims listed on data-leak sites. Manufacturing was the most affected sector, accounting for more than a quarter of confirmed victims — directly reflecting Cleo's prevalence in production workflow integration. Retail trade jumped from sixth to fourth most-affected sector, with Cl0p's campaign accounting for 46% of retail organizations named on leak sites during the quarter. Many retailers rely on Cleo for e-commerce transactions, order fulfillment, and supplier coordination.

Cl0p's serial exploitation of MFT platforms follows a consistent business logic. Each new MFT platform targeted represents a new population of organizations that rely on it — a single zero-day can yield hundreds of victims simultaneously, all data-rich and all running the same vulnerable software. The marginal cost of adding each additional victim after the initial exploitation capability is developed is extremely low. This economics of scale in initial access is what drives the MFT focus rather than any ideological targeting — it is simply the most efficient way to generate large volumes of extortionable data access in a short period.

Cl0p in Context: A Pattern of MFT Mass Exploitation

The Cleo campaign is best understood as the fourth iteration of Cl0p's MFT-targeting strategy, not an isolated incident. The group's history of MFT zero-day exploitation is consistent and escalating in both capability and reach:

  • Accellion FTA (December 2020): Four zero-day vulnerabilities in Accellion's legacy File Transfer Appliance, deployed a DEWMODE web shell, breached up to 100 companies. CISA subsequently designated this as a significant supply chain attack.
  • GoAnywhere MFT (February 2023): CVE-2023-0669, a remote code execution vulnerability, exploited to steal data from approximately 130 companies over 10 days. Victims refused ransom demands were listed on the Cl0p leak site.
  • MOVEit Transfer (May 2023): CVE-2023-34362, a SQL injection zero-day in Progress Software's MOVEit Transfer, exploited in one of the largest supply chain data theft campaigns in cybercrime history. Estimated 2,000 organizations compromised, total cost assessed in the hundreds of millions of dollars. This campaign established Cl0p as the dominant MFT threat actor.
  • Cleo MFT (December 2024): Two vulnerabilities in Cleo Harmony, VLTrader, and LexiCom, with the second discovered and exploited during the patching cycle for the first. 66+ named victims across manufacturing, logistics, retail, and technology sectors.

Cl0p's continued operational success with this approach despite public exposure after each campaign reflects both the group's technical capability and the persistent vulnerability of MFT infrastructure. After the MOVEit campaign, Cl0p was widely assessed as the most prolific ransomware group in Q1 2025 — surpassing LockBit in publicly disclosed breaches. The group's model — zero-day discovery, mass exploitation, data theft, extortion without traditional ransomware encryption — is faster, lower-risk for the operators, and produces fewer law enforcement triggers than encryption-based attacks.

Detection and Response Guidance

For organizations running Cleo MFT products, the immediate priority is patching. Both CVE-2024-50623 and CVE-2024-55956 are addressed in version 5.8.0.24. Both are listed in CISA's Known Exploited Vulnerabilities catalog. CISA set a compliance deadline of January 7, 2025 for federal civilian agencies. For any organization still running versions below 5.8.0.24, upgrade is urgent — proof-of-concept exploit code for both vulnerabilities is publicly available.

For organizations assessing whether they may have been compromised prior to patching, the following indicators and detection approaches are relevant:

  • Unexpected files in the Autorun directory. The Autorun exploit chain plants files in Cleo's autorun folder (<install_dir>/autorun/). Any files present in this directory that were not placed there by administrators should be treated as indicators of compromise.
  • Unexpected child processes spawned from Cleo Java processes. The post-exploitation chain involves PowerShell spawning from child processes of the Java-hosted Cleo services. Process creation events showing powershell.exe or cmd.exe with a Cleo Java process as parent are high-fidelity indicators of exploitation activity.
  • Inbound connections from scanning IP addresses. The two scanning IP addresses documented by Arctic Wolf — 38.180.51.138 (Artnet Sp.) and one additional host — should be checked in web server logs and network flow data for any Cleo-running systems. Connection attempts from these addresses to the /Synchronization endpoint indicate active probing.
  • Evidence of Active Directory enumeration commands post-exploitation. Darktrace and other researchers documented AD reconnaissance commands executing on compromised hosts. Basic discovery commands including network enumeration and system profiling following the PowerShell stager activity indicate attacker dwell time and should trigger incident response escalation.
  • Unusual outbound connections from the Cleo server to unexpected IP addresses. Darktrace documented cases of Cleo VLTrader systems reaching out to unusual IP addresses — including a Lithuanian IP address across AS 15440 (UAB Baltnetos komunikacijos) — as C2 beacon traffic. Monitoring internet-facing MFT servers for unexpected outbound connection patterns is a detection technique that applies both to Cleo and to other MFT platforms.
  • Java processes loading configuration from conf/Options.xml with unusual parameters. Cleopatra/Malichus parses Cleo's conf/Options.xml to access stored credentials and configuration. Monitoring access patterns to this file outside of normal Cleo process activity can surface backdoor access.

Rapid7 specifically recommended that organizations disable Cleo's Autorun directory if immediate patching is not possible, as a temporary mitigation — the CVE-2024-55956 exploit requires this directory to be enabled and set to default configuration. Disabling or restricting it removes the primary execution pathway for the second vulnerability even if patching is delayed.

The Broader MFT Security Lesson

The Cleo campaign illustrates a pattern that has now repeated across at least four major MFT platforms in four years. The pattern has consistent characteristics that defenders and procurement teams should internalize.

MFT platforms are systematically targeted because of their architectural position — internet-facing, data-dense, trusted by many partner systems simultaneously. Any organization that runs MFT software should treat that software as a high-risk, high-priority target in its patching and monitoring posture, not as infrastructure that can be maintained on a quarterly patch cycle. Cl0p and operators with similar capabilities have demonstrated they will weaponize MFT zero-days quickly; the window between vulnerability disclosure and active exploitation has been days in multiple campaigns.

The Cleo incident also highlights a specific patch management risk: an incomplete fix that creates false confidence. Organizations that applied the October patch believed they were protected. They were not — not because the patch failed entirely, but because there was a second, distinct vulnerability in the same codebase that the patch did not address. Verifying patch effectiveness requires more than confirming the software was updated; it requires confirming which specific issues the update addressed and whether any related issues remain open.

Key Takeaways

  1. Two separate vulnerabilities, not a patch bypass. CVE-2024-50623 and CVE-2024-55956 are distinct flaws with different root causes and different exploitation strategies, both in the same endpoint. Version 5.8.0.21 addressed the first; version 5.8.0.24 addresses both. Organizations that patched in October 2024 were not protected against December's exploitation.
  2. The Autorun directory is the critical execution primitive for CVE-2024-55956. The second vulnerability's exploitation chain depends entirely on Cleo's default Autorun directory configuration. Disabling or restricting this feature is an effective temporary mitigation for CVE-2024-55956 when immediate patching is not possible, and removing its default-open configuration from production deployments reduces attack surface regardless of patch status.
  3. Cleopatra/Malichus is specifically designed for Cleo environments. The Java backdoor deployed in these attacks parses Cleo-specific configuration files and accesses Cleo-specific credential stores. This is purpose-built MFT post-exploitation tooling, not a generic RAT repurposed for the campaign — indicating Cl0p invested in specific capability development for Cleo exploitation rather than adapting existing tools.
  4. Cl0p's MFT targeting is a repeating pattern, not an isolated incident. Accellion, GoAnywhere, MOVEit, and now Cleo — each campaign has followed the same model of zero-day exploitation for data theft and extortion. Organizations relying on any MFT platform should monitor for vulnerability disclosures and maintain the capability to patch within hours of a critical advisory, not days.
  5. Supply chain amplification makes MFT compromises disproportionately damaging. The data exfiltrated from a compromised MFT server belongs not only to the organization running the software but to its trading partners, customers, and suppliers. A single compromise can produce regulatory notifications obligations and reputational damage that extend well beyond the direct victim organization. This amplification effect is precisely why Cl0p targets MFT — and why organizations that rely on these platforms have outsized responsibility to maintain their security.

Cl0p's Cleo campaign ended Q4 2024 and began Q1 2025 with momentum that made it the most prolific ransomware group in that period. It has since moved on to Oracle E-Business Suite and other targets, demonstrating no sign of slowing. The lesson from Cleo — as from MOVEit, GoAnywhere, and Accellion before it — is that MFT platforms require the same security investment and operational attention as any internet-facing system holding the most sensitive data in an organization's ecosystem. Because they are exactly that.

— end of briefing