CVE-2024-55956
published 2024-12-13CVE-2024-55956: In Cleo Harmony before 5.8.0.24, VLTrader before 5.8.0.24, and LexiCom before 5.8.0.24, an unauthenticated user can import and execute arbitrary Bash or…
PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2025-01-07
Exploited in the wild
EPSS
93.80%
99.8th percentile
In Cleo Harmony before 5.8.0.24, VLTrader before 5.8.0.24, and LexiCom before 5.8.0.24, an unauthenticated user can import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cleo | harmony | < 5.8.0.24 | 5.8.0.24 |
| cleo | lexicom | < 5.8.0.24 | 5.8.0.24 |
| cleo | vltrader | < 5.8.0.24 | 5.8.0.24 |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
Possible Cleo MFT Exploitation 2024
sigma↗
Javaw Spawning Suspicious PowerShell
- →Cleo software (LexiCom, VLTrader, Harmony) versions up to and including 5.8.0.21 are vulnerable; exploitation observed even on fully patched 5.8.0.21 systems ↗
- →Monitor the Autorun directory (default: C:\LexiCom\autorun, C:\VLTrader\autorun, C:\Harmony\autorun) for unexpected files, especially healthchecktemplate.txt and healthcheck.txt ↗
- →Look for javaw.exe spawning PowerShell processes as a child-parent relationship indicative of exploitation ↗
- →Inspect LexiCom.xml and LexiCom.dbg log files for references to malicious autorun files being processed, including healthchecktemplate.txt and healthcheck.txt ↗
- →Watch for outbound connections from Cleo software processes to external IPs to retrieve JAR files used for post-exploitation persistence ↗
- →Attackers delete dropped JAR files post-execution to evade detection; look for file creation/deletion artifacts in Cleo install directories ↗
- →Notable exploitation uptick observed on December 8 around 07:00 UTC; earliest evidence of exploitation dates to December 3, 2024 ↗
- →VLSync AS2 service path autorun/healthchecktemplate.txt seen in multipart request logs; monitor for this path in Cleo service logs ↗
- ·The CVE-2024-50623 patch (version 5.8.0.21) does NOT mitigate CVE-2024-55956; systems must be upgraded to 5.8.0.24 or later ↗
- ·Cleo software is commonly installed at the root of the filesystem (C:\LexiCom, C:\VLTrader, C:\Harmony) by default, increasing exposure surface ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-v87c-pw6c-99w6: In Cleo Harmony before 5
ghsa_unreviewed·2024-12-13
CVE-2024-55956 [CRITICAL] CWE-276 GHSA-v87c-pw6c-99w6: In Cleo Harmony before 5
In Cleo Harmony before 5.8.0.24, VLTrader before 5.8.0.24, and LexiCom before 5.8.0.24, an unauthenticated user can import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory.
VulnCheck
Cleo Multiple Products Unauthenticated File Upload Vulnerability
vulncheck·2024·CVSS 9.8
CVE-2024-55956 [CRITICAL] CWE-276 Cleo Multiple Products Unauthenticated File Upload Vulnerability
Cleo Multiple Products Unauthenticated File Upload Vulnerability
Cleo Harmony, VLTrader, and LexiCom, which are managed file transfer products, contain an unrestricted file upload vulnerability that could allow an unauthenticated user to import and execute arbitrary bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory.
Affected: Cleo Multiple Products
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://cyberplace.social/@GossiTheDog/113628339890303857; https://www.rapid7.com/blog/post/2024/12/10/etr-widespread-exploitation-of-cleo-file-transfer-software-cve-2024-50623/; https://threats.wiz.i
VulnCheck
Cleo Multiple Products Unrestricted File Upload Vulnerability
vulncheck·2024·CVSS 9.8
CVE-2024-50623 [CRITICAL] CWE-434 Cleo Multiple Products Unrestricted File Upload Vulnerability
Cleo Multiple Products Unrestricted File Upload Vulnerability
Cleo Harmony, VLTrader, and LexiCom, which are managed file transfer products, contain an unrestricted file upload and download vulnerability that can lead to remote code execution with elevated privileges.
Affected: Cleo Multiple Products
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild; https://cyberplace.social/@GossiTheDog/113628339890303857; https://www.rapid7.com/blog/post/2024/12/10/etr-widespread-exploitation-of-cleo-file-transfer-software-cve-2024-50623/; https://infosec.ex
CISA
Cleo Multiple Products Unauthenticated File Upload Vulnerability
cisa·2024-12-17·CVSS 9.8
CVE-2024-55956 [CRITICAL] CWE-276 Cleo Multiple Products Unauthenticated File Upload Vulnerability
Vulnerability: Cleo Multiple Products Unauthenticated File Upload Vulnerability
Affected: Cleo Multiple Products
Cleo Harmony, VLTrader, and LexiCom, which are managed file transfer products, contain an unrestricted file upload vulnerability that could allow an unauthenticated user to import and execute arbitrary bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Update-CVE-2024-55956 ; https://nvd.nist.gov/vuln/detail/CVE-2024-55956
Remediation Due Date: 2025-01-07
Suricata
ET WEB_SPECIFIC_APPS Cleo MFT Arbitrary File Write (CVE-2024-55956)
suricata·2024-12-16·CVSS 9.8
CVE-2024-55956 [CRITICAL] ET WEB_SPECIFIC_APPS Cleo MFT Arbitrary File Write (CVE-2024-55956)
ET WEB_SPECIFIC_APPS Cleo MFT Arbitrary File Write (CVE-2024-55956)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cleo MFT Arbitrary File Write (CVE-2024-55956)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Synchronization"; http.header; to_lowercase; content:"vlsync|3a 20|"; fast_pattern; content:"receivedreceipt|3b|"; distance:0; content:"path|3d|"; distance:0; pcre:"/^[^\x0d\x0a\x3b]*[\x2f\x5c]/R"; reference:url,attackerkb.com/topics/geR0H8dgrE/cve-2024-55956/rapid7-analysis; reference:cve,2024-55956; classtype:web-application-attack; sid:2058301; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2024_12_16, cve CVE_2024_55956, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confide
Metasploit
Cleo LexiCom, VLTrader, and Harmony Unauthenticated Remote Code Execution
metasploit
Cleo LexiCom, VLTrader, and Harmony Unauthenticated Remote Code Execution
Cleo LexiCom, VLTrader, and Harmony Unauthenticated Remote Code Execution
This module exploits an unauthenticated file write vulnerability in Cleo LexiCom, VLTrader, and Harmony versions 5.8.0.23 and below.
Nuclei
Cleo Harmony < 5.8.0.24 - File Upload Vulnerability
nuclei·CVSS 9.8
CVE-2024-55956 [CRITICAL] Cleo Harmony < 5.8.0.24 - File Upload Vulnerability
Cleo Harmony efc76ba0-20ad-47cd-954c-cd5d5b46d33d@d7cc2490-03a9-48a8-8afd-bd7042cfdbd5"
matchers:
- type: dsl
dsl:
- 'len(body) == 0'
- 'contains(interactsh_protocol, "dns")'
condition: and
# digest: 4b0a00483046022100a14e31f6dc64fef4a36fb797189655cf560daa2baeec54f3a29630775cd0722a022100f2014a47a3dc781cedaeda6036dd228a4cefe35f5e5cfdd566f88c09b12f8350:922c64590222798bb761d5b6d8e72950
Bleepingcomputer
Logitech confirms data breach after Clop extortion attack
blogs_bleepingcomputer·2025-11-14
Logitech confirms data breach after Clop extortion attack
## Logitech confirms data breach after Clop extortion attack
## Lawrence Abrams
Hardware accessory giant Logitech has confirmed it suffered a data breach in a cyberattack claimed by the Clop extortion gang, which conducted Oracle E-Business Suite data theft attacks in July.
Logitech International S.A. is a Swiss multinational electronics company that sells hardware and software solutions, including computer peripherals, gaming, video collaboration, music, and smart home products.
Today, Logitech filed a Form 8-K with the U.S. Securities and Exchange Commission, confirming that data was stolen in a breach.
"Logitech International S.A. ("Logitech") recently experienced a cybersecurity incident relating to the exfiltration of data. The cybersecurity incident has not impacted Logitech's p
Bleepingcomputer
American Airlines subsidiary Envoy confirms Oracle data theft attack
blogs_bleepingcomputer·2025-10-17·CVSS 9.8
[CRITICAL] American Airlines subsidiary Envoy confirms Oracle data theft attack
## American Airlines subsidiary Envoy confirms Oracle data theft attack
## Lawrence Abrams
Envoy Air, a regional airline carrier owned by American Airlines, confirms that data was compromised from its Oracle E-Business Suite application after the Clop extortion gang listed American Airlines on its data leak site.
"We are aware of the incident involving Envoy's Oracle E-Business Suite application," Envoy Air told BleepingComputer.
"Upon learning of the matter, we immediately began an investigation and law enforcement was contacted. We have conducted a thorough review of the data at issue and have confirmed no sensitive or customer data was affected. A limited amount of business information and commercial contact details may have been compromised."
Envoy Air is a subsidiary of American
Bleepingcomputer
Harvard investigating breach linked to Oracle zero-day exploit
blogs_bleepingcomputer·2025-10-13·CVSS 9.8
[CRITICAL] Harvard investigating breach linked to Oracle zero-day exploit
## Harvard investigating breach linked to Oracle zero-day exploit
## Lawrence Abrams
Harvard University is investigating a data breach after the Clop ransomware gang listed the school on its data leak site, saying the alleged breach was likely caused by a recently disclosed zero-day vulnerability in Oracle's E-Business Suite servers.
"Harvard is aware of reports that data associated with the University has been obtained as a result of a zero-day vulnerability in the Oracle E-Business Suite system. This issue has impacted many Oracle E-Business Suite customers and is not specific to Harvard," a Harvard University Information Technology spokesperson told BleepingComputer.
"While the investigation is ongoing, we believe that this incident impacts a limited number of parties associated wit
Bleepingcomputer
Oracle patches EBS zero-day exploited in Clop data theft attacks
blogs_bleepingcomputer·2025-10-05·CVSS 9.8
CVE-2025-61882 [CRITICAL] Oracle patches EBS zero-day exploited in Clop data theft attacks
## Oracle patches EBS zero-day exploited in Clop data theft attacks
## Lawrence Abrams
Update 10/6/25 11:15 AM ET: Updated story with more information on the leaked Oracle source code and the leaking of the exploit.
Oracle is warning about a critical E-Business Suite zero-day vulnerability tracked as CVE-2025-61882 that allows attackers to perform unauthenticated remote code execution, with the flaw actively exploited in Clop data theft attacks.
The flaw is within the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration) and has a CVSS base score of 9.8, due to its lack of authentication and ease of exploitation.
"This Security Alert addresses vulnerability CVE-2025-61882 in Oracle E-Business Suite," reads a new Oracle advisory.
"This v
Bleepingcomputer
Clop extortion emails claim theft of Oracle E-Business Suite data
blogs_bleepingcomputer·2025-10-01
Clop extortion emails claim theft of Oracle E-Business Suite data
## Clop extortion emails claim theft of Oracle E-Business Suite data
## Lawrence Abrams
Mandiant and Google are tracking a new extortion campaign where executives at multiple companies received emails claiming that sensitive data was stolen from their Oracle E-Business Suite systems.
According to Genevieve Stark, Head of Cybercrime and Information Operations Intelligence Analysis at GTIG, the campaign began in late September.
"This activity began on or before September 29, 2025, but Mandiant's experts are still in the early stages of multiple investigations, and have not yet substantiated the claims made by this group," Stark said.
Charles Carmakal, CTO of Mandiant – Google Cloud, stated that the extortion emails are being sent from a large number of compromised email accounts.
"We a
Bleepingcomputer
Food giant WK Kellogg discloses data breach linked to Clop ransomware
blogs_bleepingcomputer·2025-04-07·CVSS 9.8
CVE-2024-50623 [CRITICAL] Food giant WK Kellogg discloses data breach linked to Clop ransomware
## Food giant WK Kellogg discloses data breach linked to Clop ransomware
## Bill Toulas
US food giant WK Kellogg Co is warning employees and vendors that company data was stolen during the 2024 Cleo data theft attacks.
Cleo software is a managed file transfer utility that was targeted by the Clop ransomware gang en masse at the end of last year. This attack leveraged two zero-day flaws tracked as CVE-2024-50623 and CVE-2024-55956, allowing the threat actors to breach servers and steal data.
"WK Kellogg learned on February 27, 2025, that a security incident may have occurred involving Cleo," reads the notice .
"WK Kellogg immediately began to investigate. We contacted Cleo, and Cleo informed us that an unauthorized person gained access on December 7, 2024, to the servers Cleo hosted fo
Crowdstrike
Outpace the Adversary: CrowdStrike's AI-native Falcon Platform in Action
blogs_crowdstrike·2025-03-22
Outpace the Adversary: CrowdStrike's AI-native Falcon Platform in Action
## Outpace the Adversary: CrowdStrike’s AI-native Falcon Platform in Action
March 22, 2025
In collaboration with CrowdStrikeâs OverWatch team and aligned with the 2025 Threat Hunting Report, eCrime adversaries have been identified as one of the most significant threats to customer environments, consistently demonstrating advanced tradecraft and financial motivations. Among the most prolific groups in 2024 were GRACEFUL SPIDER, PUNK SPIDER, CURLY SPIDER, SCATTERED SPIDER, VICE SPIDER, and WANDERING SPIDER. These adversaries employ tactics such as exploiting vulnerabilities, phishing/vishing, ransomware, credential harvesting, and misuse of remote management tools (RMM) to achieve their objectives. Their sophistication and persistence underscore the critical need for a comprehensive, cro
Bleepingcomputer
Western Alliance Bank notifies 21,899 customers of data breach
blogs_bleepingcomputer·2025-03-18
Western Alliance Bank notifies 21,899 customers of data breach
## Western Alliance Bank notifies 21,899 customers of data breach
## Sergiu Gatlan
Arizona-based Western Alliance Bank is notifying nearly 22,000 customers their personal information was stolen in October after a third-party vendor's secure file transfer software was breached.
Western Alliance is a wholly owned subsidiary of Western Alliance Bancorporation, a leading U.S. banking company with over $80 billion in assets.
The bank first revealed in a February SEC filing that the attackers exploited a zero-day vulnerability in the third-party software (disclosed by the vendor on October 27, 2024) to hack a limited number of Western Alliance systems and exfiltrate files stored on the compromised devices.
Western Alliance found that customer data was exfiltrated from its network only after
Huntress
Cleo Software Actively Being Exploited in the Wild CVE-2024-55956 | Huntress
blogs_huntress·2025-01-06·CVSS 9.8
CVE-2024-55956 [CRITICAL] Cleo Software Actively Being Exploited in the Wild CVE-2024-55956 | Huntress
## CVE-2024-55956 Summary
On December 3, Huntress identified an emerging threat involving Cleo’s LexiCom, VLTransfer, and Harmony software, commonly used to manage file transfers. We’ve directly observed evidence of threat actors exploiting this software en masse and performing post-exploitation activity. Although Cleo published an update and advisory for CVE-2024-50623 —which allows unauthenticated remote code execution—Huntress security researchers have recreated the proof of concept and learned the patch does not mitigate the software flaw.
TL;DR - This vulnerability is being actively exploited in the wild and fully patched systems running 5.8.0.21 are still exploitable. We strongly recommend you move any internet-exposed Cleo systems behind a firewall until a new patch is released.
Bleepingcomputer
Clop ransomware claims responsibility for Cleo data theft attacks
blogs_bleepingcomputer·2024-12-15·CVSS 9.8
CVE-2024-50623 [CRITICAL] Clop ransomware claims responsibility for Cleo data theft attacks
## Clop ransomware claims responsibility for Cleo data theft attacks
## Lawrence Abrams
12/16/24 update: Article updated to include new information about Cleo CVE-2024-50623 and CVE-2024-55956 flaws.
The Clop ransomware gang has confirmed to BleepingComputer that they are behind the recent Cleo data-theft attacks, utilizing zero-day exploits tracked as CVE-2024-50623 and CVE-2024-55956 to breach corporate networks and steal data.
Cleo is the developer of the managed file transfer platforms Cleo Harmony, VLTrader, and LexiCom, which companies use to securely exchange files between their business partners and customers.
## The Cleo zero-days
In October, Cleo disclosed a vulnerability tracked as CVE-2024-50623 that allowed unrestricted file uploads and downloads, leading to remote code
Huntress
Cleo Malichus Malware Analysis CVE-2024-55956| Huntress
blogs_huntress·2024-12-11·CVSS 9.8
CVE-2024-55956 [CRITICAL] Cleo Malichus Malware Analysis CVE-2024-55956| Huntress
## Summary - CVE-2024-55956
Huntress previously reported on malicious activity from the exploitation of a 0-day vulnerability in Cleo software. The malware being delivered through this exploitation has now been analyzed and a technical breakdown of a new family of malware we’ve named Malichus is included in this post. The name is a play on the word Cleopatra and comes from Malichus I, who is noted to have burned Cleopatra’s navy fleet in revenge for his losses throughout a war that Cleopatra had initiated.
## Technical Analysis
## Stage 1: Powershell Downloader
The malware makes use of a small PowerShell loader that sets up the host for further exploitation. It is stored as a base64 blob and gets decoded and is used to execute a Java Archive that gets deployed to the system with the na
Sentinelone
Cl0P
blogs_sentinelone·2022-11-30
Cl0P
How It Works The Singularity XDR Difference
Singularity Marketplace One-Click Integrations to Unlock the Power of XDR
Pricing & Packaging Comparisons and Guidance at a Glance
Purple AI Accelerate SecOps with Generative AI
Singularity Hyperautomation Easily Automate Security Processes
AI-SIEM The AI SIEM for the Autonomous SOC
Singularity Data Lake AI-Powered, Unified Data Lake
Singularity Data Lake for Log Analytics Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
Singularity Endpoint Autonomous Prevention, Detection, and Response
Singularity XDR Native & Open Protection, Detection, and Response
Singularity RemoteOps Forensics Orchestrate Forensics at Scale
Singularity
Threat Intelligence Comprehensive Adversary Intelligence
Singularity Vulnerability Management
Recorded Future
Cleo MFT Vulnerability CVE-2024-50623: Critical RCE Risk
blogs_recorded_future·CVSS 9.8
CVE-2024-50623 [CRITICAL] Cleo MFT Vulnerability CVE-2024-50623: Critical RCE Risk
# Cleo MFT: CVE-2024-50623
## What is CVE-2024-50623
CVE-2024-50623 is a critical unrestricted file upload and download vulnerability that could lead to remote code execution (RCE).
## What are the affected products?
The vulnerability affects Cleo's managed file transfer (MFT) products Harmony, VLTrader, and LexiCom before version 5.8.0.21.
- Cleo Harmony 5.8
- Cleo LexiCom 5.5.0.0
- Cleo LexiCom 5.6
- Cleo LexiCom 5.6.1
- Cleo LexiCom 5.6.2
- Cleo LexiCom 5.7
- Cleo LexiCom 5.8
- Cleo VLTrader 5.8
### Description
On December 13, 2024, Recorded Future’s Insikt Group published a TTP Instance detailing cybersecurity firm watchTowr Labs’ analysis of an alleged proof-of-concept (PoC) exploit for CVE-2024-50623.
CVE-2024-50623 stems from insufficient input validation, improper path sani
Huntress
Huntress 24/7 Security Operations Center | Huntress
blogs_huntress·CVSS 8.4
[HIGH] Huntress 24/7 Security Operations Center | Huntress
24/7 Managed SOC Services & Monitoring
Whether an incident goes down at 3:00 p.m. or 3:00 a.m., the Huntress elite AI-assisted SOC team has your back with always-on SOC monitoring and rapid response.
People-Powered Threat Hunting
Automation alone won’t cut it against today’s hackers, and this is where our human security experts come in. The Huntress Security Operations Center (SOC) fills a critical gap in your security with a team of always-on, global badasses on your side. They investigate threats, analyze tradecraft, and shut down attackers 24/7—all so you don’t have to.
8 min
Industry-leading mean time to respond (MTTR)*
Threat experts
across the globe
98.8%
Customer support satisfaction score
False positive rate
across 4M endpoints
Confirmed high/critical incident reports sen
Huntress
Cleo Malichus Malware Analysis CVE-2024-55956| Huntress
blogs_huntress·CVSS 9.8
CVE-2024-55956 [CRITICAL] Cleo Malichus Malware Analysis CVE-2024-55956| Huntress
## Summary - CVE-2024-55956
Huntress previously reported on malicious activity from the exploitation of a 0-day vulnerability in Cleo software. The malware being delivered through this exploitation has now been analyzed and a technical breakdown of a new family of malware we’ve named Malichus is included in this post. The name is a play on the word Cleopatra and comes from Malichus I, who is noted to have burned Cleopatra’s navy fleet in revenge for his losses throughout a war that Cleopatra had initiated.
Figure 1: Overview of the attack chain
## Technical Analysis
### Stage 1: Powershell Downloader
The malware makes use of a small PowerShell loader that sets up the host for further exploitation. It is stored as a base64 blob and gets decoded and is used to execute a Java Archive tha
Recorded Future
Cleo MFT Vulnerability CVE-2024-50623: Critical RCE Risk
blogs_recorded_future·CVSS 9.8
CVE-2024-50623 [CRITICAL] Cleo MFT Vulnerability CVE-2024-50623: Critical RCE Risk
## Cleo MFT: CVE-2024-50623
## What is CVE-2024-50623
CVE-2024-50623 is a critical unrestricted file upload and download vulnerability that could lead to remote code execution (RCE).
## What are the affected products?
The vulnerability affects Cleo's managed file transfer (MFT) products Harmony, VLTrader, and LexiCom before version 5.8.0.21.
Cleo Harmony 5.8
Cleo LexiCom 5.5.0.0
Cleo LexiCom 5.6
Cleo LexiCom 5.6.1
Cleo LexiCom 5.6.2
Cleo LexiCom 5.7
Cleo LexiCom 5.8
Cleo VLTrader 5.8
## Description
On December 13, 2024, Recorded Future’s Insikt Group published a TTP Instance detailing cybersecurity firm watchTowr Labs’ analysis of an alleged proof-of-concept (PoC) exploit for CVE-2024-50623.
CVE-2024-50623 stems from insufficient input validation, improper path sanitization,
Sentinelone
Cl0P
blogs_sentinelone
Cl0P
# Cl0P Ransomware: In-Depth Analysis, Detection, and Mitigation
## What Is Cl0P Ransomware?
CL0P ransomware emerged in early 2019 and is associated with the greater TA505 threat group. They continue to be active as of January 2022. High-profile attacks have highlighted their aggressive campaigns against large enterprises. Malicious payloads are often digitally signed as well as employing multiple controls to avoid analysis.
Some CL0P examples are explicitly designed to not execute on Russian language systems. As is the case with other prominent ransomware families, CSimilar to Maze and NetWalker, the actors behind the CL0P ransomware have been publicly posting victim data. This practice began in early 2020 and continues to this date.
In 2024, Cl0p was responsible for widespread exploit
Zscaler
CISO Monthly Roundup, January 2025: DeepSeek risks, new Xloader versions, and more | CXO Revolutionaries
blogs_zscaler
CISO Monthly Roundup, January 2025: DeepSeek risks, new Xloader versions, and more | CXO Revolutionaries
TOP STORY
## CISO Monthly Roundup, January 2025: DeepSeek risks, new Xloader versions, and more
Deepen Desai
Contributor
Zscaler
## Feb 10, 2025
Insights from threats explored by the Zscaler ThreatLabz team in January.
This past month, the Zscaler ThreatLabz security research team detailed the risks in DeepSeek, analyzed Xloader, and revealed the latest obfuscation, specialization, and evasion techniques by LockBit, Clop, and Raspberry Robin.
## DeepSeek: A CISO's Insight into Potential Security Weaknesses
The recent launch of DeepSeek, a large language model (LLM) developed by a Chinese AI company, sent shockwaves across the tech industry. The open source model is accessible globally and comes with its own set of risks. When it comes to LLMs, there are three groups - builders (sm
Huntress
Cleo Software Actively Being Exploited in the Wild CVE-2024-55956 | Huntress
blogs_huntress·CVSS 9.8
CVE-2024-55956 [CRITICAL] Cleo Software Actively Being Exploited in the Wild CVE-2024-55956 | Huntress
## CVE-2024-55956 Summary
On December 3, Huntress identified an emerging threat involving Cleo’s LexiCom, VLTransfer, and Harmony software, commonly used to manage file transfers. We’ve directly observed evidence of threat actors exploiting this software en masse and performing post-exploitation activity. Although Cleo published an update and advisory for CVE-2024-50623—which allows unauthenticated remote code execution—Huntress security researchers have recreated the proof of concept and learned the patch does not mitigate the software flaw.
TL;DR - This vulnerability is being actively exploited in the wild and fully patched systems running 5.8.0.21 are still exploitable. We strongly recommend you move any internet-exposed Cleo systems behind a firewall until a new patch is released.
B
https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Advisory-CVE-Pendinghttps://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Updatehttps://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wildhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-55956
2024-12-13
Published
2024-12-17
Added to CISA KEV
Exploited in the wild