The notorious Cl0p ransomware group has published a list of companies compromised through vulnerabilities in Cleo’s managed file transfer (MFT) software.
The announcement, made on the group’s dark web leak site, highlights the exploitation of a critical vulnerability, CVE-2024-50623. This flaw allows unauthenticated remote code execution and has been actively used by Cl0p to infiltrate organizations globally.
The vulnerability affects Cleo Harmony, VLTrader, and LexiCom products. Despite a patch released in October 2024, cybersecurity researchers discovered the fix was insufficient, exposing systems to exploitation.
The flaw enables attackers to upload malicious files that are automatically executed by the software, granting them unauthorized access to sensitive data. A newer patch (version 5.8.0.24) has since been issued, but many organizations remain vulnerable due to delayed updates or insufficient mitigations.
Cl0p has claimed responsibility for exploiting this vulnerability and has reportedly targeted at least 66 organizations so far. The victims span industries such as logistics, consumer goods, and food supply chains.
While only partial names of affected companies have been disclosed, the group has threatened to release full details if ransom demands are not met by January 21.
Cl0p’s Extortion Strategy
Known for its sophisticated extortion tactics, Cl0p uses multilevel pressure to coerce victims into paying ransom. In this case, the group has provided secure communication channels for negotiations and warned that non-compliance will lead to public exposure of stolen data. This approach mirrors previous campaigns by Cl0p, such as the MOVEit breach in 2023, where hundreds of companies faced similar threats.
The group’s dark web post also announced plans to release additional victim lists in phases. The first set of data is expected to be published on January 18, with subsequent releases following shortly after.
Cleo has acknowledged the severity of the situation and issued updated advisories urging customers to apply the latest patches immediately. The company has also extended 24/7 support services to assist affected clients in securing their systems.
However, cybersecurity experts warn that organizations using Cleo products must remain vigilant as attackers may continue targeting unpatched systems.
The incident underscores a broader trend of ransomware groups exploiting vulnerabilities in widely-used file transfer platforms. Cl0p’s history includes similar attacks on Accellion, GoAnywhere MFT, and MOVEit software, demonstrating a pattern of leveraging zero-day vulnerabilities for large-scale data breaches.
This latest attack highlights the critical importance of timely patch management and robust cybersecurity measures. Organizations relying on third-party software must proactively monitor for vulnerabilities and implement mitigations promptly to reduce exposure.
As Cl0p continues its campaign against Cleo users, affected companies face mounting pressure to respond swiftly or risk severe reputational and financial damage. The cybersecurity community urges all organizations to prioritize system updates and collaborate with law enforcement agencies to mitigate the impact of such attacks.
The unfolding situation serves as a stark reminder of the persistent threat posed by ransomware groups like Cl0p and their evolving tactics in exploiting critical infrastructure vulnerabilities.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free