A zero-day vulnerability in Cleo’s managed file transfer (MFT) software is being actively exploited, sparking a wave of ransomware attacks. Security researchers have released a proof-of-concept, and a threat group known as “Termite” is deploying a backdoor called “Cleopatra.” With initial patches failing to fix the issue, over 4,000 businesses are now racing to secure their systems against this escalating threat.
A Critical Flaw in Cleo’s MFT Suite
The vulnerability, which does not yet have a confirmed CVE number despite some reports, affects popular Cleo products including Harmony, VLTrader, and LexiCon. These tools are widely used for transferring large files securely, particularly in the shipping, trucking, and food industries.
The core of the problem is an incomplete patch that allows for arbitrary file writes. This flaw can be exploited by attackers to achieve remote code execution (RCE), giving them full control over the compromised server. This level of access poses a significant risk to the sensitive data handled by these MFT solutions.
The public release of a proof-of-concept exploit has dramatically lowered the barrier to entry for other attackers, increasing the likelihood of widespread and indiscriminate attacks against any organization running a vulnerable version of the software.
The Termite Group and Cleopatra Backdoor
Security analysts have linked the ongoing ransomware campaign to a group called “Termite.” This group is also the primary suspect behind similar attacks on the supply chain software provider Blue Yonder, which impacted major brands like Starbucks. The attack pattern strongly resembles the massive MOVEit ransomware incidents of 2023, signaling a trend of targeting MFT solutions.
The primary weapon used in these attacks is the “Cleopatra” backdoor. It is a sophisticated, cross-platform tool that works on both Windows and Linux systems.
- It uses a malicious PowerShell stager to deploy a Java-based backdoor.
- The backdoor is capable of in-memory file storage, making it harder to detect.
- It is specifically designed to access and steal data from within the Cleo MFT software.
While the initial vulnerability scans were traced to just two IP addresses, the command and control (C2) network used for the backdoor is much larger, complicating efforts to block the attackers.
Patching Problems and Advisory Confusion
Cleo’s response to the vulnerability has created confusion among its customers. The company released an initial patch on October 30 (version 5.8.0.21), but security firm Huntress reported on December 9 that systems with this patch were still being successfully exploited. This indicates the first fix was insufficient.
The absence of a new, clearly communicated CVE for the ongoing issue has made it difficult for organizations to track the vulnerability and confirm if they are protected. Cleo has since released a newer version, 5.8.0.24, as the current fix. The timeline below highlights the rapid escalation of events.
| Date | Event |
| Dec. 3 | Active attacks on Cleo MFT begin |
| Dec. 9 | Huntress reports ongoing exploits despite patching |
| Dec. 10 | Cleo updates advisory on patching issues |
| Dec. 11 | Watchtowr Labs publishes proof of exploit |
| Dec. 14 | Current date of ongoing ransomware campaign |
A security analyst from Rapid7 noted the ambiguity, stating, “Without a clear CVE, tracking and mitigating the threat becomes a challenge.”
Urgent Defensive Measures for Cleo Users
In response to the growing threat, security experts from Arctic Wolf and other firms are urging all Cleo customers to take immediate action. Simply patching is not enough, as systems may have already been compromised before the latest fix was applied.
Defenders should actively hunt for signs of compromise and harden their systems to prevent future attacks. Monitoring for unusual server activity, especially related to PowerShell, is a critical first step. It is also recommended to restrict access to the MFT applications by placing them behind a VPN or implementing strict IP access control lists to reduce the available attack surface.
Frequently Asked Questions
What is the Cleo MFT zero-day exploit?
It is a critical vulnerability in Cleo’s managed file transfer software that allows attackers to write arbitrary files and execute remote code. This flaw is being actively used to deploy ransomware and a backdoor called Cleopatra.
Which Cleo products are affected?
The vulnerability affects Cleo Harmony, Cleo VLTrader, and Cleo LexiCon. Organizations using any of these products should check their version and apply the latest patches immediately.
What is the Cleopatra backdoor?
Cleopatra is a custom backdoor created to target Cleo MFT systems. It is a Java-based tool that runs on both Windows and Linux, allowing attackers to access, manipulate, and steal data directly from the software.
Is there a final patch available for the vulnerability?
Yes, Cleo has released version 5.8.0.24 as the current fix. The initial patch, version 5.8.0.21, was found to be insufficient and did not fully protect systems from the exploit.
What should I do to protect my organization?
Beyond applying the latest patch (5.8.0.24), your security team should monitor servers for unusual PowerShell activity, audit all internet-facing devices for vulnerabilities, and restrict access to the Cleo application using a VPN or IP allow-lists.
