A critical vulnerability in Cleo managed file-transfer software has been actively exploited in the wild, with CISA confirming its use in ransomware attacks and adding the flaw to its Known Exploited Vulnerabilities catalog. Reporting indicates the bug affects Cleo products used for secure file exchange, and defenders were urged to patch immediately, restrict internet exposure, and investigate signs of compromise as exploitation spread broadly.
Further reporting tied the campaign to activity dating back to October, with Mandiant tracing exploitation earlier than initially disclosed and indicating attackers had been abusing the Cleo flaw for weeks before public warnings intensified. The overlap between mass exploitation, confirmed ransomware use, and the extended dwell time raised concern that organizations relying on Cleo software may have been compromised well before detection and should review logs, isolate affected systems, and assess for follow-on intrusion activity.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
Mandiant publicly stated that its investigation traced the Cleo exploitation activity to October 2024, providing additional timeline and attribution context for the campaign. This disclosure clarified that the attacks had been ongoing for weeks before broader public awareness in December.
CISA confirmed that a critical Cleo vulnerability was being exploited in ransomware-related intrusions and added the issue to its Known Exploited Vulnerabilities catalog. The confirmation elevated the incident from active exploitation reporting to an officially recognized ransomware threat.
By early December 2024, security reporting indicated that a critical vulnerability in Cleo managed file-transfer software was under mass exploitation. The reporting highlighted active attacks affecting organizations using Cleo products.
Mandiant traced exploitation of vulnerabilities in Cleo Harmony, VLTrader, and LexiCom products back to October 2024, indicating attackers had been abusing the flaws before public reporting. The activity marked the start of the intrusion campaign later tied to widespread compromise and extortion activity.
4 references tracked. Mallory keeps watching after this page renders.
cybersecuritydive.com
Open sourcesocradar.io
Open sourcebleepingcomputer.com
Open sourcecybersecuritydive.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.