Pierluigi Paganini January 16, 2025

The Clop ransomware gang claims dozens of victims from a Cleo file transfer vulnerability, though several companies dispute the breaches.

The Clop ransomware group added 59 new companies to its leak site, the gang claims to have breached them by exploiting a vulnerability ​​in Cleo file transfer products. 

“We have data of many companies who use cleo. Our teams are reaching and calling your company and provide your special secret chat.
If you are not sure if we have your data.
emails us here” reads the Cl0p announcement published on its Tor leak site.

In December 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability CVE-2024-50623 (CVSS score 8.8), which impacts multiple Cleo products to its Known Exploited Vulnerabilities (KEV) catalog.

“Cleo has identified an unrestricted file upload and download vulnerability (CVE-2024-50623) that could lead to remote code execution.” reads the advisory. “Cleo strongly advises all customers to immediately upgrade instances of Harmony, VLTrader, and LexiCom to the latest released patch (version 5.8.0.21) to address additional discovered potential attack vectors of the vulnerability. ”

The vulnerability affects the following products LexiCom before version 5.8.0.21, Harmony prior to version 5.8.0.21, and VLTrader prior to version 5.8.0.21.

On December 9, reports of active exploitation targeting Cleo file transfer software began circulating among cybersecurity community. Security firm Huntress publicly disclosed ongoing exploitation involving three different Cleo products.

“On December 3, Huntress identified an emerging threat involving Cleo’s LexiCom, VLTransfer, and Harmony software, commonly used to manage file transfers.” reads the post published by Huntress. “We’ve directly observed evidence of threat actors exploiting this software en masse and performing post-exploitation activity.”

Huntress researchers created a proof of concept and learned the patch does not mitigate the software flaw. The experts warned that fully patched systems running 5.8.0.21 are still exploitable.

Now the Clop ransomware group claims to have contacted the breached organizations, but they ignored ransom negotiations so the gang threatens to publish stolen data on January 18, 2025.

Some of the organizations listed by the Clop ransomware group have disputed the gang’s claims and denied they were compromised.

A spokesperson for U.S. car rental giant Hertz told TechCrunch that it is “aware” of Clop’s claims, but added there is “no evidence that Hertz data or Hertz systems have been impacted at this time.”

Clop group already targeted enterprise file transfer software in the past, a large-scale hacking campaign exploited vulnerabilities in MOVEit Transfer and GoAnywhere.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)