Cleo CVE-2024-50623 & CVE-2024-55956 Explained: Inside Cl0p’s Patch-Bypass Attack
目次
We track Cl0p closely, their MOVEit campaign in 2023 affected more than 3,000 US organizations and earned the group an estimated $75–100 million. Cleo was their encore. Here’s how they did it, who got hit, and what the incident should change about how you think about vendor patches.
Why Cl0p targeted Cleo
Cleo serves more than 4,200 customers globally. Its MFT products sit between enterprises and their trading partners, moving payroll files, vendor invoices, inventory data, and regulated records. Compromise one Cleo server and you do not just breach that customer — you breach every partner whose data flows through it.
This is the same logic that made MOVEit so damaging in 2023, and it is why Cl0p has cycled through MFT platforms in sequence: Accellion in 2020–2021, GoAnywhere in early 2023, MOVEit later that year, and Cleo in late 2024. Each platform was widely deployed, internet-facing, and trusted with sensitive data flows. Each campaign sharpened the playbook.
Cleo added a new wrinkle. For the first time, Cl0p built an attack around a vulnerability the vendor had already patched.
What Cleo Harmony, VLTrader, and LexiCom do
Three Cleo products sat at the center of the campaign:
- Harmony is the enterprise-grade platform used by larger organizations for complex, high-volume integrations
- VLTrader is aimed at mid-market organizations needing secure B2B file exchange with trading partners
- LexiCom is a lightweight desktop client used for secure transfers to specific partners or industry networks
The three products share common code. That is why both vulnerabilities affected all of them simultaneously, and why a single exploit could be pointed at any Cleo customer regardless of which product they had deployed.
The first zero-day: CVE-2024-50623
Cleo disclosed CVE-2024-50623 in late October 2024 as an unrestricted file upload and download flaw in Harmony, VLTrader, and LexiCom. The company shipped a fix in version 5.8.0.21 and moved on.
Cl0p did not. On December 3, 2024, Huntress researchers began seeing active exploitation of the vulnerability on Cleo servers — including servers that had already applied the October patch. The attackers were writing malicious files into Cleo’s Autorun directory, a folder the software uses to automatically process uploaded content. Autorun executed those files with the permissions of the Cleo service. The result was unauthenticated remote code execution on internet-facing servers.
The exploitation pattern was consistent across victims:
- An XML file dropped into the Autorun directory
- An embedded PowerShell command in that XML, retrieving a Java Archive (JAR) from attacker infrastructure
- A Java loader loading the final payload into memory
Huntress observed a sharp spike around December 8, 2024. Roughly 1,342 Cleo instances were exposed to the public internet at the time of disclosure according to Censys scans, with 79% of them based in the United States. CVE-2024-50623 carries a CVSS score of 9.8.
The patch problem: CVE-2024-55956
This is where the Cleo story breaks from the MOVEit pattern as the October patch did not hold.
Huntress reported that servers running the supposedly patched version 5.8.0.21 were still being compromised. Cleo and several research teams examined the attack pattern. On December 13, 2024, a second CVE was assigned — CVE-2024-55956 — and a new patch shipped in version 5.8.0.24.
Cleo’s official position is that the two CVEs have different root causes and that CVE-2024-55956 is not a bypass. Their reasoning: CVE-2024-50623 is an unauthenticated file read-and-write flaw, while CVE-2024-55956 is a separate unauthenticated file-write flaw that reaches command execution through the Autorun directory. Huntress and several other research teams disagree on the framing — from a defender’s perspective, servers believed to be patched remained exploitable, and a second emergency patch was needed.
Either way, the practical outcome for customers was the same. Organizations that applied the October patch and moved on found themselves compromised in late November and early December, often by Cl0p operators who already had the exploit tooling ready.
CISA added both CVEs to the Known Exploited Vulnerabilities (KEV) catalog.
The Cleopatra backdoor
Arctic Wolf Labs analyzed the post-exploitation activity in detail and named the resulting implant Cleopatra. The execution chain followed a consistent pattern across every compromised server:
- Initial access via the Autorun vulnerability, delivering a malicious XML file
- PowerShell stager embedded in the XML, retrieving a Java loader
- Java-based backdoor (Cleopatra) loaded into memory for persistence, command execution, and data exfiltration
Cleopatra was built for Cleo servers specifically. It used Cleo’s own Java runtime to blend in with legitimate processes, and its obfuscation made static detection difficult without purpose-built signatures. Like LEMURLOOT before it, the implant prioritized data theft over encryption.
Compare the mechanics side by side with the MOVEit campaign:
| MOVEit (2023) | Cleo (2024) | |
|---|---|---|
| 初期アクセス | SQL injection (CVE-2023-34362) | Arbitrary file upload (CVE-2024-50623 / 55956) |
| Implant | LEMURLOOT ASP.NET web shell | Cleopatra Java backdoor |
| 粘り強さ | “Health Check Service” database accounts | Java loader in Cleo runtime |
| Objective | Data exfiltration, no encryption | Data exfiltration, no encryption |
Different vulnerability classes, different implants, same objective: persistent unauthenticated access to a trusted data-handling platform, then quiet exfiltration of everything valuable.
Attribution: Cl0p, Termite, and the FIN11 cluster
Attribution took a few weeks to settle. Early reporting suggested a newer ransomware group called Termite, which had recently been linked to a supply chain incident affecting Blue Yonder. Termite operated public-facing Cleo infrastructure and appeared to have exploit capability against the platform.
By mid-December, Cl0p had formally claimed responsibility on its dark web leak site. Mandiant and Google Threat Intelligence Group have long linked Cl0p-branded operations to the financially motivated cluster tracked as FIN11, though the two are not identical. Multiple actors have used the Cl0p brand and infrastructure over the years.
For defenders, the attribution debate matters less than the behavioral consistency. Whoever is operating the leak site — Cl0p, FIN11, Termite, or a collaboration between them — the playbook is the same: zero-day exploitation of a widely deployed data-handling platform, silent data exfiltration, then a mass email extortion campaign to executives. We cover the broader picture in our Cl0p ransomware group profile.
Victim count and notable names
The number of Cleo victims shifted as Cl0p published them in waves:
- December 24, 2024: Cl0p announced 66 alleged victims on its leak site, with a 48-hour ultimatum to respond
- January 17–18, 2025: The group began publishing data from organizations that had refused to negotiate
- February 14, 2025: Cl0p posted details of 182 Cleo victims on its leak site
Independent research from WhiteBlueOcean counted more than 200 organizations added to the Cl0p leak site across December 2024 alone, the majority tied to Cleo.
Confirmed or named victims include:
- Hertz — confirmed a data breach tied to the Cleo exploit, with customer personal data stolen
- WK Kellogg — confirmed victim
- Chicago Public Schools — confirmed victim
- Western Alliance Bank — confirmed victim
- Blue Yonder — supply chain management provider whose compromise disrupted operations at major retailers
- Champion Home Builders — confirmed victim
The supply chain effect is worth spelling out. Blue Yonder is used by Fortune 500 retailers to run supply chain planning. Its compromise rippled outward to companies that were never directly targeted — the same cascade that made MOVEit so damaging.
Cl0p’s MFT pattern: four campaigns, one playbook
Laid out in sequence, the pattern is clear:
| Year | プラットフォーム | Vulnerability | Approx. victims |
|---|---|---|---|
| 2020–2021 | Accellion FTA | Zero-day web shell (DEWMODE) | Dozens across law, academia, government |
| Early 2023 | Fortra GoAnywhere MFT | CVE-2023-0669 | ~130 organizations in 10 days |
| May 2023 | Progress MOVEit Transfer | CVE-2023-34362 | 3,000+ US, 8,000+ globally |
| Late 2024 | Cleo Harmony / VLTrader / LexiCom | CVE-2024-50623, CVE-2024-55956 | 182+ organizations |
Each campaign built on the last. Accellion established extortion without encryption. GoAnywhere proved the model scaled. MOVEit showed the supply chain cascade. Cleo added exploitation of the patch window itself.
Cl0p has since expanded beyond MFT entirely. In late 2025, the group claimed responsibility for a campaign exploiting zero-day vulnerabilities in Oracle E-Business Suite — an ERP platform, not an MFT — affecting Michelin, Canon, Mazda, Estée Lauder, and Broadcom among others. The underlying pattern holds: find a widely deployed, trusted data-handling platform, exploit it before patches land, extort at scale.
Indicators of compromise
Publicly available IOCs for the Cleo campaign include:
- Unexpected
.xmlfiles written to the CleoAutorundirectory - PowerShell processes spawned by the Cleo service with encoded or obfuscated commands
- Java processes loading non-Cleo JAR files, particularly from memory
- Outbound connections from Cleo servers to previously unseen infrastructure
- File hashes published in advisories from Huntress, Arctic Wolf, Rapid7, and CISA
Relevant MITRE ATT&CK techniques observed in the campaign:
- 初期アクセス – 公開されているアプリケーションの悪用 (T1190) arbitrary file upload against internet-facing Cleo products
- Execution – Command and Scripting Interpreter: PowerShell (T1059.001): PowerShell stager invoked via Autorun
- Persistence – Server Software Component (T1505): Cleopatra Java implant loaded into the Cleo runtime
- 潜伏・漏洩 – C2チャネル経由での潜伏・漏洩 (T1041) outbound data transfer to attacker infrastructure
Review firewall and proxy logs for outbound connections from Cleo servers to unknown IP addresses during late November and December 2024. That window is where most of the unseen compromises sit.
Mitigation steps for Cleo customers
If you run Cleo products, prioritize these actions:
- Review Cleo servers for signs of prior compromise. Exploitation began on December 3, 2024, and in some cases earlier. A clean patch now does not unwind an earlier breach.
- Audit the Autorun directory for unexpected XML files, scripts, or JAR files. Review PowerShell and Java process histories on Cleo hosts.
- Restrict internet exposure. Cleo servers that do not need to be directly reachable from the public internet should sit behind a VPN, a reverse proxy with strict access controls, or IP allow-listing for known trading partners.
- Monitor for Cl0p extortion emails. The group contacts executives directly. An extortion email mentioning Cleo-stored data is a strong signal that a compromise may have occurred regardless of internal telemetry.
The broader lesson: applying a vendor patch is not the same as verifying the underlying issue is fixed. CVE-2024-50623 was patched in October. Cl0p was inside hundreds of Cleo servers by December.
That is where external visibility earns its place. We monitor your externally exposed assets, track dark web and underground forum activity for campaign precursors, and surface compromised data and credentials before extortion attempts begin. For platforms like Cleo — internet-facing, handling trusted data flows, difficult to fully patch in time — early external detection often closes the window before Cl0p-style groups can act.
よくある質問
Two related flaws disclosed in late 2024: CVE-2024-50623 と CVE-2024-55956. Both affect Cleo Harmony, VLTrader, and LexiCom. Both enable unauthenticated remote code execution on internet-facing servers. Both are listed in CISA’s Known Exploited Vulnerabilities catalog.
CVE-2024-50623 is an unrestricted file upload and download flaw, disclosed in October 2024 and patched in version 5.8.0.21. CVE-2024-55956, disclosed in December 2024 and patched in 5.8.0.24, is a related unauthenticated file-write flaw in the Autorun directory. Cleo considers them distinct issues with different root causes. Huntress and several other research teams describe the second as a practical bypass of the first patch.
について Cl0pランサムウェアグループ publicly claimed responsibility in December 2024. Researchers have linked Cl0p-branded operations to the financially motivated cluster tracked as FIN11. A newer group called Termite was discussed in early reporting, particularly around the Blue Yonder compromise. Multiple actors have used the Cl0p brand over time, which complicates single-group attribution.
Cleopatra is the name given by Arctic Wolf Labs to the Java-based backdoor deployed on compromised Cleo servers. It was loaded in memory via a PowerShell stager and a Java loader, and used for persistence, command execution, and data exfiltration. It lived inside Cleo’s own runtime environment to evade detection.
Cl0p named 66 alleged victims in December 2024. By February 14, 2025, the group had posted details of 182 Cleo victims on its leak site. Independent research from WhiteBlueOcean counted more than 200 organizations added across December 2024 alone.
Confirmed or named victims include Hertz, WK Kellogg, Chicago Public Schools, Western Alliance Bank, Blue Yonder, and Champion Home Builders. Blue Yonder’s compromise in particular rippled outward to major retailers that depend on its supply chain software.
Upgrade to Cleo version 5.8.0.24 or later, audit Cleo servers for signs of prior compromise, restrict internet exposure of Cleo instances, and monitor for Cl0p extortion emails. More broadly, continuous external visibility into exposed data-handling platforms matters more than any single patch cycle.
What the Cleo campaign should change about your security posture
The MOVEit campaign taught one lesson: a single zero-day in a widely deployed platform can cascade through thousands of supply chains. Cleo added another. A patched vulnerability is not always a fixed one. Vendor advisories, CVE assignments, and version numbers are starting points, not endings. Threat actors monitor the window between an initial patch and a complete fix because it is reliably productive.
For security teams, the practical implication is that patch management alone cannot close the gap. You need external visibility into what attackers see, including which of your assets are exposed, which platforms are being probed, and whether your data is already circulating on dark web forums.
著者について
