Security researchers are warning that hackers are actively exploiting another high-risk vulnerability in a popular file transfer technology to launch mass hacks.
The vulnerability, tracked as CVE-2024-50623, affects software developed by Illinois-based enterprise software company Cleo, according to researchers at cybersecurity company Huntress.
The flaw was first disclosed by Cleo in a security advisory on October 30 which warned that exploitation could lead to remote code execution. It affects Cleo’s LexiCom, VLTransfer, and Harmony tools, which are commonly used by enterprises to manage file transfers.
Cleo released a patch for the vulnerability in October, but in a blog on Monday Huntress warned that the patch does not mitigate the software flaw.
Huntress security researcher John Hammond said the company has observed threat actors “exploiting this software en masse” since December 3. He told TechCrunch in a statement on Tuesday that Huntress – which protects more than 1,700 Cleo LexiCom, VLTransfer, and Harmony servers – has discovered at least 24 businesses whose servers were compromised.
“Victim organizations so far have included various consumer product companies, logistics and shipping organizations, and food suppliers,” wrote Hammond, adding that many other customers are at risk of being hacked.
Shodan, a search engine for publicly available devices and databases, lists hundreds of vulnerable Cleo servers, the majority of which are located in the U.S.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss the 20th anniversary of TechCrunch, and a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
Cleo has more than 4,200 customers, including U.S. biotechnology company Illumina, sports footwear giant New Balance, and Dutch logistics firm Portable.
Huntress has not yet identified the threat actor behind these attacks and it’s not known whether any data has been stolen from impacted Cleo customers. However, Hammond noted that the company has observed hackers performing “post-exploitation activity” after compromising vulnerable systems.
In an emailed statement given to TechCrunch, Jorge Rodriguez, SVP of product Development at Cleo, said that a patch for the critical vulnerability is “under development.” Huntress recommends that Cleo customers move any internet-exposed systems behind a firewall until a new patch is released.
Rodriguez declined to how many customers had been impacted or whether it was aware of any data exfiltration.
Enterprise file transfer tools are a popular target among hackers and extortion groups. Last year, the Russia-linked Clop ransomware gang claimed thousands of victims by exploiting a zero-day vulnerability in Progress Software’s MOVEit Transfer product. The same gang had previously taken credit for the mass exploitation of a vulnerability in Fortra’s GoAnywhere managed file transfer software, which was used to target more than 130 organizations.
Updated with comment from Cleo.
