Patch, Investigate, and Defend: Critical and High Vulnerabilities in Cleo Managed File Transfer Solutions Reportedly Under Attack

By Scott T. Lashway, Matthew MK Stein

There is news coming from the U.S. cyber community for organizations that use Cleo’s software products: if your organization or your vendors use Cleo’s Cleo Harmony, VLTrader, or LexiCom products, you may be at heightened risk of an active ransomware attack and data exfiltration campaign. On Friday, the U.S. Cybersecurity and Infrastructure Security Agency added critical-risk and high-risk vulnerabilities to its known exploited vulnerabilities catalog affecting Cleo software, after the cybersecurity community identified threat actor activity involving that concern. Intelligence reports indicate that more than 200 organizations may be at risk of compromise.

Cl0p, a known cybercriminal organization, has taken public responsibility for identifying and actively exploiting these vulnerabilities. Cl0p is known for its successful attacks using other managed file transfer solutions, such as Accellion, GoAnyway, and MOVEit. The vulnerabilities Cl0p is exploiting may allow a threat actor to take total control over the software, and at least one cybersecurity vendor publicly has disputed whether both vulnerabilities have been patched. These may be significant vulnerabilities as scored under the Common Vulnerability Scoring System as 8.8 and 9.8, out of a maximum score of 10. The significance of the vulnerability in your organization depends on your use and application of your cyber controls. 

Organizations that use Cleo Harmony, VLTrader, and LexiCom should consider applying the latest patches and actively monitor for indicators of compromise involving the Cl0p exploit observed in the wild. Equally importantly, infosec teams should identify vendors using Cleo software and confirm that those vendors are also actively patching and monitoring for the indicators of compromise. 

The Mintz cybersecurity and privacy team is available as needed to help clients determine the potential impact and mount an effective incident response and remediation operation, including vendor risk assessment and management.  We also stand ready to defend any litigation and regulatory actions taken with respect to this matter. 

Subscribe To Viewpoints

Published

    • Professionals

  • Scott T. Lashway
  • Matthew MK Stein

    • Related Practices

  • Privacy & Cybersecurity
  • Data & Privacy Litigation and Investigations

    • Authors

    Scott T. Lashway

    Member / Co-Chair, Privacy & Cybersecurity Practice

    Scott T. Lashway is a globally recognized privacy and cybersecurity disputes attorney who servers as Co-chair of Mintz’s Privacy & Cybersecurity Practice. He guides clients through high-stakes incident response and breach investigations, complex and bet-the-company litigation, government investigations, and enforcement actions and provides strategic counsel on privacy, cybersecurity, data governance, and AI issues. Scott primarily represents clients in the health care, financial services, technology, artificial intelligence, and media and adtech sectors.

    Matthew MK Stein

    Special Counsel

    Matthew MK Stein is a Special Counsel at Mintz who advises organizations and individuals on data privacy, data governance, and cybersecurity issues. He leverages experience in private practice and as in-house counsel at a global financial institution to litigate, lead investigations, and provide strategic guidance. He represents clients in various industries, including technology, artificial intelligence, financial services, blockchain, and the adtech and martech sectors.