Cl0p’s Exploitation of Cleo Puts the Supply Chain at Immediate Risk
Written by: Ferhat Dikbiyik
Contributor: Yavuz Han & Ekrem Celik
Cl0p is back—and this time, they’ve set their sights on Cleo, a critical tool for supply chain integration. By exploiting vulnerabilities in Cleo’s Managed File Transfer (MFT) solutions, Cl0p has reignited concerns of another large-scale ransomware campaign, echoing the chaos caused by their MOVEit, GoAnywhere, and Accelion attacks. With thousands of companies relying on Cleo for seamless data transfers and partner integrations, the risk isn’t just direct—it’s systemic.
Timeline of Events
October 2024: Discovery of Cleo Vulnerabilities
Cleo released patches addressing a critical vulnerability (CVE-2024-50623) in its Managed File Transfer (MFT) products, including Harmony, VLTrader, and LexiCom. The flaw allowed unrestricted file uploads, enabling unauthenticated remote code execution. Cleo urged customers to upgrade to version 5.8.0.21 to mitigate the risk.
November 2024: Blue Yonder Incident and Termite Ransomware Group
Weeks later, Blue Yonder, a major SaaS provider for supply chain management, fell victim to a ransomware attack. The Termite ransomware group claimed responsibility, leveraging vulnerabilities and credential exposure to compromise systems.
While Blue Yonder’s attack and the Termite group initially seemed isolated, Cleo systems emerged as Indicators of Compromise (IoCs) in Termite’s operations. This incident highlighted how supply chain integration tools could be weaponized to cause widespread operational disruption. For more details on Blue Yonder and Termite, refer to our previous analysis here.
December 2024: Cl0p’s Announcement and Growing Exploitation
In early December, signs of active exploitation began surfacing. Sophos X-Ops confirmed that attacks on Cleo products began on December 6, 2024, targeting 50+ unique hosts in North America, primarily in the retail sector. On December 13, the Cl0p ransomware group publicly claimed responsibility for exploiting Cleo’s vulnerabilities. Cl0p, known for its mass exploitation of Managed File Transfer products like MOVEit and GoAnywhere, followed their established playbook: exploit, exfiltrate, and pressure victims with double extortion. Their announcement signaled that victims were already under negotiation, and further disclosures were imminent.
December 13: CISA Confirms Active Exploitation
Also, on December 13, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed active exploitation of CVE-2024-50623 and added it to the Known Exploited Vulnerabilities (KEV) Catalog. CISA mandated that all U.S. federal agencies apply patches by January 3, 2025, highlighting the urgency of remediation.
December 15: Second Cleo Vulnerability Surfaces
A second critical vulnerability (CVE-2024-55956) was identified in Cleo’s MFT solutions, further escalating the threat. This zero-day flaw, combined with CVE-2024-50623, expands the attack surface for threat actors, allowing even broader exploitation. According to new findings, these vulnerabilities remain attractive due to Cleo’s widespread usage in supply chain integration, especially in the retail and logistics industries.
December 17: CISA Adds CVE-2024-55956 to its KEV Catalog.
December 18: First Victims announced
Cl0p ransomware groups announced two new victims on December 18. Based on their initial announcement on the 13th, it is very highly likely that these victims are part of the campaign of mass exploitation of Cleo vulnerabilities.
Current Status: Patches, Advisories, and Present Risks
As of mid-December, reports from Huntress and Arctic Wolf revealed that:
- Fully patched Cleo systems may still be misconfigured and vulnerable under certain conditions.
- Attackers are deploying ransomware payloads and stealing data using a combination of CVE-2024-50623 and CVE-2024-55956.
The interconnected risks continue to grow. Cleo systems have become central to ransomware groups’ strategies, echoing Cl0p’s MOVEit campaign in scale and complexity. The exploitation of Cleo vulnerabilities as a campaign is ongoing, and the number of victims is expected to rise over the coming weeks.
The ripple effects across the global supply chain—especially in retail, logistics, and other interconnected industries—demonstrate the systemic impact of vulnerabilities in widely adopted tools like Cleo.
Who is Cl0p? Understanding the Group and Their Methods
Cl0p is a ransomware group notorious for large-scale exploitation campaigns targeting Managed File Transfer (MFT) software. Their operations are characterized by a “hit-and-run” mentality, focusing on mass exploitation rather than continuous attacks. Unlike opportunistic ransomware groups, Cl0p carefully identifies vulnerabilities in widely adopted tools, weaponizes them, and exploits them at scale. Their operations combine technical precision with a clear strategy: maximize impact and leverage high-value data for extortion.
Cl0p’s History and Previous Attacks
Cl0p has been linked to several high-profile attacks:
- Accellion FTA Attack (2020): In December 2020, Cl0p exploited zero-day vulnerabilities in Accellion’s File Transfer Appliance (FTA), compromising up to 100 companies and stealing sensitive data. Unlike typical ransomware attacks, they did not deploy file-encrypting malware but instead focused on data theft and extortion.
- GoAnywhere MFT Attack (2023): In early 2023, Cl0p exploited a zero-day vulnerability in Fortra’s GoAnywhere MFT, claiming to have breached over 130 organizations. They utilized similar tactics of data exfiltration followed by extortion.
- MOVEit Exploitation (2023): In June 2023, Cl0p targeted a vulnerability in Progress Software’s MOVEit Transfer, affecting numerous organizations. They exfiltrated data and used double extortion tactics, threatening to publish the stolen information.
These incidents highlight Cl0p’s signature approach: they don’t operate year-round. Instead, they focus on mass exploitation campaigns—finding and exploiting critical vulnerabilities in widely used enterprise tools, launching large-scale attacks, and rapidly monetizing stolen data.
Cl0p’s Modus Operandi (MO): Targeting MFT Solutio
Cl0p’s tactics have a distinct pattern:
- Identification of Zero-Day Vulnerabilities:
Cl0p specifically targets MFT solutions, which are vital for secure data transfers between organizations and trading partners. These tools often handle sensitive data, making them prime targets for extortion. - Mass Exploitation:
Once a vulnerability is identified, Cl0p moves quickly to exploit it. They leverage automated tools to scan for unpatched or exposed systems, often breaching hundreds of organizations simultaneously. - Data Exfiltration and Double Extortion:
After gaining access, Cl0p exfiltrates large amounts of sensitive data before deploying ransomware. They then engage in double extortion, threatening to leak stolen data publicly if victims refuse to pay. Their dark web blog serves as the platform to pressure victims by announcing data leaks. - Timing and Scale:
Cl0p strategically targets tools used by organizations with significant supply chain interdependencies, amplifying the impact of their campaigns. The MOVEit and GoAnywhere campaigns affected thousands of companies—directly and indirectly—demonstrating how they exploit systemic vulnerabilities in critical software.
Cl0p and Cleo: The Next MOVEit?
The exploitation of Cleo’s vulnerabilities mirrors Cl0p’s previous large-scale campaigns on Managed File Transfer (MFT) solutions like MOVEit and GoAnywhere. These campaigns targeted zero-day vulnerabilities, allowing Cl0p to breach organizations en masse and exfiltrate sensitive data for double extortion. In December 2024, Cl0p publicly claimed responsibility for exploiting Cleo’s MFT products, specifically CVE-2024-50623 and CVE-2024-55956, stating they already had “a lot of companies” under their fingertips. This public declaration strongly suggests that exploitation began weeks earlier, consistent with Cl0p’s strategy of quietly breaching systems, stealing data, and only later announcing their activities to intensify pressure on victims yet to pay.
Given Cleo’s widespread adoption—particularly in retail and logistics, where it facilitates end-to-end supply chain integration—the scale of potential disruption is significant. Cl0p’s focus on tools that connect organizations across ecosystems amplifies the risk far beyond a single company, creating a ripple effect throughout supply chains.
This pattern is not new. During the MOVEit exploitation campaign in 2023, Black Kite Research and Intelligence Team (BRITE) observed 600 MOVEit assets exposed to the internet at the time of discovery. Given Cl0p’s spray-and-exploit approach, we estimate most of those assets were attacked. In total, Cl0p’s MOVEit campaign impacted hundreds of direct victims and indirectly affected more than 2,700 organizations, including downstream third- and fourth-party dependencies.
Within three months, Cl0p announced 270 victims tied to MOVEit on their leak site. Other victims were listed afterward, though it remains unclear if these were MOVEit-related. Notably, Cl0p claimed to have deleted stolen data for some organizations, such as non-profits and public institutions, likely for reputational reasons.
While Cl0p currently dominates the headlines, it is worth noting that the Termite ransomware group has also been associated with Cleo-related Indicators of Compromise (IoCs). Though there is no confirmed link between Cl0p and Termite, this overlap highlights how critical tools like Cleo become prime targets for multiple ransomware operators seeking high-impact opportunities.
Cl0p’s resurgence with Cleo is yet another example of their ability to disrupt systems at scale. Their hit-and-run mentality—periodically focusing on MFT vulnerabilities for maximum effect—demonstrates their precision and understanding of how interconnected systems amplify ransomware risks. Organizations must respond decisively to such threats, as delayed action could leave critical data and operations exposed in the interconnected web of modern supply chains.
The Technical Breakdown: How Cleo Vulnerabilities Are Being Exploited
CVE-2024-50623: The Initial Vulnerability
The first critical vulnerability identified in Cleo’s MFT solutions—CVE-2024-50623—was disclosed in October 2024. This flaw allows for unauthenticated file uploads, enabling attackers to place malicious files directly onto targeted servers. Under certain conditions, this results in remote code execution (RCE), giving threat actors the ability to execute arbitrary commands.
The vulnerability impacts Cleo Harmony, VLTrader, and LexiCom products widely used for secure file transfers, partner onboarding, and supply chain automation. Organizations with internet-exposed Cleo systems running unpatched versions were immediately placed at risk.
CVE-2024-55956: A Second Critical Flaw
On December 15, 2024, a second vulnerability—CVE-2024-55956—surfaced, further exacerbating the risk. This zero-day flaw allows for unrestricted file downloads, enabling attackers to exfiltrate sensitive data without authentication. In combination with CVE-2024-50623, this creates a powerful attack vector where threat actors can both infiltrate and exfiltrate data, a hallmark of ransomware operations.
Researchers from Huntress have raised concerns that even fully patched systems remain vulnerable under specific misconfigurations or incomplete remediations. This complicates mitigation efforts, as organizations may incorrectly assume they are protected after applying initial patches.
Indicators of Compromise (IoCs)
Security researchers have published several Indicators of Compromise related to Cleo exploitation, including:
- File Names and Patterns:
Malicious file uploads often mimic legitimate Cleo processes to evade detection. For example:- Randomly named .xml or .log files placed in unexpected directories.
- Unusual Network Activity:
- Outbound connections to suspicious IP addresses.
- Unexpected data transfers involving Cleo MFT servers.
- C2 (Command and Control) Servers:
- Reported IP addresses identified as part of Cl0p campaigns.
- Example: 176[.]123[.]5[.]126 and 5[.]149[.]249[.]226 (placeholder examples).
- Reported IP addresses identified as part of Cl0p campaigns.
Organizations are urged to monitor for these IoCs and conduct thorough forensic reviews of Cleo servers to identify unauthorized file uploads or unusual system behavior.
The Compounding Risk of Misconfiguration
While Cleo released patches in October, real-world implementation has revealed challenges. Systems with incomplete configurations or unpatched instances remain vulnerable. Additionally, Huntress researchers have reported that fully updated Cleo environments could still be exploited under specific conditions, raising the risk for organizations that rely on Cleo for critical file transfer operations.
The combined exploitation of CVE-2024-50623 and CVE-2024-55956 highlights the evolving sophistication of ransomware groups like Cl0p. These vulnerabilities create a near-perfect opportunity for attackers to infiltrate systems, steal sensitive data, and leverage supply chain disruptions for maximum impact. Organizations must act decisively to identify exposure, patch systems, and monitor for signs of compromise before attackers escalate their campaigns further.
The Supply Chain Impact: Why This Matters
Cleo’s Role in Supply Chain Integration
Cleo’s Integration Cloud (CIC) and Managed File Transfer (MFT) solutions serve as critical infrastructure for businesses that rely on seamless data exchanges with trading partners, customers, and internal systems. These tools power API and EDI-based transactions, automate file transfers, and integrate with back-office applications, enabling operational efficiency across interconnected supply chains.
Direct vs. Indirect Risks
The exploitation of Cleo vulnerabilities poses direct and indirect risks to organizations, mirroring the cascading effects seen during the MOVEit and GoAnywhere campaigns:
- Direct Impact:
- Organizations using vulnerable Cleo solutions face immediate risk of data exfiltration and ransomware deployment. Cl0p’s exploitation tactics allow for unauthorized file uploads, system access, and data theft, disrupting operations and potentially leading to downtime or financial losses.
- Indirect Impact:
- Even companies that do not directly use Cleo can be impacted through their vendors, partners, or customers. If a critical supplier or trading partner is compromised, it can trigger delays, operational bottlenecks, and interruptions to business continuity.
- These downstream impacts are especially critical in industries like retail and logistics, where delays during peak seasons—such as the holidays—can translate to significant revenue loss.
Sectors at Greatest Risk
Industries like retail, logistics, manufacturing, and healthcare depend heavily on Cleo to manage their supply chain workflows. From onboarding new partners to securely transferring sensitive business data, Cleo has become a central link in countless global operations. This widespread reliance creates an attractive target for ransomware groups like Cl0p, who aim to amplify the disruption by compromising a tool that connects thousands of organizations.
- Retail: Retailers depend on Cleo to integrate with suppliers, track shipments, and ensure inventory visibility. A disruption during peak seasons could delay deliveries, impact sales, and damage customer relationships.
- Logistics: Logistics providers rely on Cleo for partner onboarding, shipping automation, and real-time data exchanges. An attack could cause cascading delays across the supply chain.
- Manufacturing: Manufacturers using Cleo to exchange data with suppliers and partners could face production halts, delayed fulfillment, and financial loss.
- Healthcare: Sensitive healthcare data, often transferred through automated workflows, is particularly valuable to ransomware operators, posing both operational and regulatory risks.
Why This Matters for Supply Chain Resilience
The Cleo exploitation highlights a broader issue: the fragility of interconnected systems. Organizations often underestimate their reliance on third-party tools and partners until an incident like this occurs. A single vulnerability in a widely adopted platform can disrupt hundreds—or thousands—of interconnected businesses, amplifying risks across entire ecosystems.
For organizations prioritizing supply chain resilience, visibility is critical:
- Do you know which of your vendors, customers, or partners rely on Cleo?
- Can you assess their exposure and verify that mitigation steps are being taken?
- Are you prepared for disruptions caused by indirect dependencies?
Understanding these relationships and acting proactively can make the difference between business continuity and cascading failure.
How Black Kite Responded: Two FocusTags for Actionable Intelligence
Proactive Risk Identification and Customer Alerts
As the Cleo vulnerabilities began to surface and exploitation intensified, Black Kite acted swiftly to provide actionable intelligence for our customers. Understanding the layered risks posed by Cleo’s interconnected products, we released two distinct FocusTags:
- Cleo File Transfer FocusTag
- Cleo Integration – Ransomware Risk FocusTag
Both tags addressed critical aspects of the threat, helping customers identify exposure, prioritize outreach, and take decisive mitigation steps.
Cleo File Transfer FocusTag™: Identifying Vulnerable Systems
The Cleo File Transfer FocusTag™ focuses on the vulnerable software versions and internet-facing systems running Cleo Harmony®, VLTrader®, and LexiCom. This vulnerability-focused tag provides highly actionable intelligence for customers to address immediate technical risks.
Key details include:
- Identification of vulnerable Cleo products prior to version 5.8.0.21.
- IP addresses and hosted instances of Cleo MFT solutions exposed in the cloud.
- Indicators of Compromise (IoCs).
- Recommended mitigation actions, including patching, disabling autorun functionality, and isolating systems behind firewalls.
Customers used this tag to quickly identify their own exposure and initiate remediation efforts, including monitoring for signs of exploitation and implementing defensive controls.
Black Kite published this first tag on November 27, 2024 for CVE-2024-50623 and updated it since then frequently so that it includes the new developments and vulnerabilities (CVE-2024-55956).
Cleo Integration – Ransomware Risk FocusTag™: Cascading Supply Chain Risk
The Cleo Integration – Ransomware Risk FocusTag™ addresses a broader risk beyond the specific vulnerabilities. This tag highlights organizations connected to Cleo’s Integration Cloud (CIC) as application or trading partners, who may face direct or indirect risks of a ransomware attack.
- The Cl0p ransomware group is infamous for exploiting Managed File Transfer (MFT) vulnerabilities, and their campaigns often extend beyond initial targets. Cleo’s MFT solutions are deeply integrated with Cleo Integration Cloud (CIC), a platform central to critical business ecosystem integrations.
- Trading partners connected to CIC could become part of the attack path, exposing sensitive assets and data to potential compromise.
The Cleo Integration tag is based on a combination of:
- Public integration data (95%) published by Cleo.
- Certificate analysis for Cleo-related products.
Through discussions with trading partners and confirmation from our customers, we’ve learned that Cleo integrations often touch sensitive data and critical systems, amplifying the potential for cascading impacts across the supply chain.
This tag enables customers to:
- Identify at-risk vendors and trading partners connected to Cleo.
- Understand and prioritize indirect risks that could impact their operations.
- Share actionable intelligence with vendors, raising awareness and driving remediation efforts.
Black Kite published this tag on December 16, 2024, right after Cl0p announced it on their dark web blog. Black Kite has become the first source of intel for many Black Kite customers.
Customers who were identified as trading partners on Cleo’s public website began internal investigations to assess their exposure. IoCs provided with the tag—such as suspicious file patterns and malicious IPs—were shared with SOC teams to ensure no compromise had occurred. Organizations verified where Cleo touched their sensitive assets or critical systems and prepared incident response protocols as a precaution.
Operationalizing Both FocusTags™: From Intelligence to Action
Black Kite customers leveraged these FocusTags to address both immediate risks and cascading vulnerabilities:
- For Internal Mitigation (Cleo File Transfer FocusTag):
- Patch all Cleo Harmony, VLTrader, and LexiCom systems to version 5.8.0.21 or later.
- Place internet-facing systems behind a firewall and disable autorun functionality.
- Monitor for Indicators of Compromise (IoCs) such as malicious file uploads and suspicious IPs.
- For Vendor and Supply Chain Management (Cleo Integration FocusTag):
- Use the Cleo Integration – Ransomware Risk FocusTag to identify trading partners at risk of cascading ransomware impacts.
- Prioritize critical vendors and launch targeted outreach campaigns to raise awareness and request feedback.
- Collaborate with vendors to confirm mitigations and reduce shared risk.
- Leveraging Black Kite BridgeTM:
- Customers operationalized these tags further through Black Kite Bridge, streamlining vendor outreach and tracking remediation progress in real time. Instead of sending manual questionnaires, they shared actionable intelligence directly with vendors, allowing for faster, more efficient responses.
A Coordinated Effort to Protect Customers
The swift release of these two FocusTags reflects Black Kite’s commitment to delivering timely and actionable intelligence. The BRITE (Black Kite Research and Intelligence) team worked around the clock to analyze risks, while our Customer Success, Support, and Product teams ensured customers could operationalize this intelligence effectively.
By addressing both technical vulnerabilities and supply chain risks, we enabled organizations to act decisively—protecting their systems, understanding their vendor relationships, and mitigating the cascading impacts of ransomware.
What Organizations Need to Do Now
As the exploitation of Cleo vulnerabilities continues to unfold, organizations must move quickly to mitigate risks, both internally and across their supply chains. Given Cl0p’s history of targeting widely adopted Managed File Transfer (MFT) tools, delaying action could leave organizations exposed to ransomware deployment, data theft, and operational disruptions.
Immediate Steps for Direct Users of Cleo
If your organization uses Cleo Harmony®, VLTrader®, or LexiCom, immediate technical measures must be prioritized:
- Patch Vulnerable Systems: Ensure all Cleo MFT products are updated to version 5.8.0.21 or later. This step is critical to addressing CVE-2024-50623 and CVE-2024-55956.
- Disable Autorun Functionality:
- Access the “Configure” menu, select “Options,” and clear the “Autorun Directory” field to prevent automatic execution of malicious files.
- Place Systems Behind a Firewall: Restrict internet-facing access to Cleo servers to minimize exposure. Where possible, disable external access entirely.
- Monitor for Indicators of Compromise (IoCs):
- Watch for unusual network activity or file uploads, such as main.xml or encoded malicious payloads.
- Block malicious IPs associated with Cl0p campaigns:
- 176[.]123[.]5[.]126, 5[.]149[.]249[.]226, 185[.]181[.]230[.]103.
- Strengthen Security Controls: Enforce strong, unique passwords for Cleo systems, and enable multi-factor authentication (MFA) to reduce unauthorized access risks.
Understand and Mitigate Supply Chain Risks
Even if your organization does not use Cleo directly, there is significant indirect risk if your vendors, trading partners, or customers rely on Cleo systems. Cl0p’s attack campaigns historically spread across entire ecosystems, impacting organizations that were never direct targets.
Steps to address cascading risks include:
- Identify Affected Vendors:
- Use the Cleo Integration – Ransomware Risk FocusTag to identify trading and application partners exposed to potential ransomware threats.
- Review vendor dependencies to understand which of your critical suppliers or partners use Cleo’s Integration Cloud (CIC).
- Engage Vendors with Actionable Intelligence:
- Share specific IoCs and mitigation steps to raise awareness among vendors. Black Kite customers have used Black Kite BridgeTM to streamline outreach, allowing vendors to address vulnerabilities faster and confirm remediations.
- Prioritize Based on Criticality:
- Focus efforts on vendors and partners critical to your operations. Map out supply chain dependencies to identify where disruptions would cause the most significant impact.
- Test Contingency and Response Plans:
- Develop or review backup and disaster recovery plans to ensure operational continuity if a critical vendor is compromised.
- Identify alternative suppliers or redundancies in workflows to minimize downtime.
Strengthen Long-Term Cyber Resilience
While the immediate priority is mitigating Cleo-related risks, this incident underscores the broader need for improved third-party risk management and supply chain resilience. In an interconnected world, risks like Cleo’s vulnerabilities don’t stay isolated—they ripple across entire ecosystems. Whether you’re a direct user of Cleo systems or part of a broader supply chain, visibility and decisive action are critical to minimizing ransomware risk.
Organizations should take steps to ensure they are prepared for future events:
- Enhance Visibility:
- Continuously monitor vendor risk exposure, particularly for critical tools like MFT solutions that manage sensitive data and workflows.
- Proactively identify vulnerable systems across your supply chain using external intelligence and risk assessments.
- Adopt Threat Intelligence Tools:
- Leverage risk intelligence platforms to identify vulnerabilities, IoCs, and dark web chatter before incidents escalate. Tools like Black Kite’s FocusTags allow organizations to stay ahead of emerging threats and act decisively.
- Collaborate with Vendors:
- Build stronger relationships with third-party vendors to ensure faster response times during incidents. Avoid overwhelming vendors with repetitive questionnaires and focus on sharing actionable intelligence they can act on.
- Conduct Regular Security Audits:
- Evaluate the security posture of both internal systems and vendor environments, ensuring that vulnerabilities are identified and addressed before they can be exploited.
By addressing vulnerabilities internally, working proactively with vendors, and strengthening long-term cyber resilience, organizations can mitigate the cascading impacts of supply chain ransomware attacks.
Final Thoughts
The Cleo exploitation campaign is another stark example of how quickly ransomware groups like Cl0p can exploit critical vulnerabilities to disrupt organizations and their interconnected supply chains. By targeting tools that sit at the heart of business operations, Cl0p has shown once again that the impacts of these attacks are rarely limited to direct victims.
At Black Kite, we believe that speed, visibility, and actionable intelligence are key to minimizing risk in moments like these. The release of the Cleo File Transfer FocusTag™ and the Cleo Integration – Ransomware Risk FocusTag™ allowed our customers to take immediate action—internally patching vulnerabilities, identifying at-risk vendors, and prioritizing outreach campaigns.
These efforts are a testament to the collaborative work of the BRITE team, who identified and tracked this threat, and the Customer Success, Support, and Product and Development teams, who made this intelligence actionable for our customers.
While the Cleo vulnerabilities may dominate headlines today, the lesson for tomorrow is clear:
Know your vendors. Know their dependencies. And act decisively when risk emerges.
The next wave of ransomware will come—it always does. Organizations that prioritize visibility, operationalize risk intelligence, and strengthen supply chain resilience will be the ones who weather it best.
References
https://arcticwolf.com/resources/blog-uk/cleopatras-shadow-a-mass-exploitation-campaign-uk
https://infosec.exchange/@SophosXOps/113631363563332166
Want to take a closer look at FocusTags™?
Take our platform for a test drive and request a demo today.