The Clop ransomware group exploited CVE-2024-50623, a critical zero-day in Cleo’s managed file transfer products, to breach dozens of organizations and launch a mass extortion campaign. Clop published a list of 66 named victims with a 48-hour negotiation ultimatum — a tactic the group has used consistently since its 2023 MOVEit campaign.
CVE-2024-50623: Unauthenticated File Upload to RCE
The vulnerability affects three Cleo products: LexiCom, VLTransfer, and Harmony. The flaw enables unauthenticated file upload and download, which attackers chained into remote code execution on exposed servers. Cleo released a patch in mid-December 2024, upgrading affected deployments to version 5.8.0.24. According to CISA advisories, Clop began exploiting the vulnerability before the patch was widely applied, placing organizations in a narrow response window.
Clop’s Extortion Infrastructure
Clop established dedicated secure chat channels for ransom negotiations with each victim, with fallback email addresses for organizations that did not respond. The 66 published organizations are assessed to be only those that ignored initial outreach — Cleo’s total customer base exceeds 4,000 enterprises, including Target, Walmart, FedEx, and The Home Depot. Security researchers treating the published list as the full scope of compromise are likely underestimating total breach volume.
Clop’s Enterprise MFT Targeting Pattern
This campaign follows a deliberate, repeating playbook: identify a zero-day in widely-used managed file transfer software, stockpile access across hundreds of organizations, then execute mass extortion simultaneously. Prior campaigns targeted Accellion FTA (2020–2021), GoAnywhere MFT (CVE-2023-0669, exploited February 2023), and MOVEit Transfer (CVE-2023-34362, exploited May 2023). Each wave affected hundreds of organizations across healthcare, finance, and critical infrastructure.
Organizations Running Cleo MFT Products
Any organization operating Cleo LexiCom, VLTransfer, or Harmony versions below 5.8.0.24 on internet-accessible infrastructure is at risk of having been compromised prior to patching. Cleo products are heavily used in retail, logistics, and supply chain sectors for EDI and B2B data exchange — making victim data attractive for follow-on fraud and supply chain attacks targeting trading partners.
Immediate Steps for Cleo Operators
- Upgrade all Cleo LexiCom, VLTransfer, and Harmony instances to version 5.8.0.24 or later immediately.
- Audit server logs for unauthorized file uploads or anomalous outbound connections dating back to December 2024.
- Restrict Cleo product ports from public internet exposure and require VPN for access where operationally feasible.
- Review file transfer logs for data exfiltration indicators — unusually large outbound transfers, access from unexpected IP ranges.
- Engage your incident response team and legal counsel before any ransom negotiation contact — Clop negotiations typically escalate to public data release if prolonged.
Clop’s campaigns have been notable for their scale and patience: the group accumulates access over weeks before triggering extortion, which means organizations that applied the Cleo patch after December 2024 may still have been compromised during the exploitation window. Forensic verification of server integrity is warranted even for patched systems.
