HIGHSupply Chain
Verified
Global

Cl0p Mass Exploits Cleo File Transfer Zero-Day — 600+ Organizations Hit

Sunday, March 22, 2026 at 11:00 AM UTC·Source: Huntress / Cleo Advisory

Updated: Monday, March 23, 2026 at 09:00 AM UTC

Executive Summary

Cl0p launches fourth major file transfer campaign exploiting Cleo Harmony, VLTrader, and LexiCom zero-day. Systematic data exfiltration ongoing.

Analysis

CVE-2026-27891 is a deserialization flaw in Cleo products allowing unauthenticated RCE. Huntress detected exploitation March 18. Over 600 organizations compromised. This is Cl0p fourth file transfer campaign after Accellion, GoAnywhere, and MOVEit.

Timeline

Discovered
Mar 18, 2026
Exploitation Detected
Mar 18, 2026
Published
Mar 22, 2026
Patch Available
Mar 21, 2026

Indicators of Compromise (1)

CVE (1)
CVE-2026-27891
NVDMITRE CVE
Source Attribution

Originally published by Huntress / Cleo Advisory on Mar 22, 2026. Verified by: Huntress, CISA, Cleo.

Related Threats

MEDIUMSupply Chain

Mercor confirms security incident tied to LiteLLM supply chain attack

Although the LiteLLM attack was reportedly tied to a group called TeamPCP, the hacking gang Lapsus$ claimed on its website that it obtained hundreds of gigabytes of Mercor’s data.

The Record
MEDIUMSupply Chain

Threat Brief: Widespread Impact of the Axios Supply Chain Attack

Unit 42 discusses the supply chain attack targeting Axios. Learn about the full attack chain, from the dropper to forensic cleanup. The post Threat Brief: Widespread Impact of the Axios Supply Chain Attack appeared first on Unit 42 .

Unit 42 (Palo Alto)
LOWSupply Chain

Axios NPM Package Breached in North Korean Supply Chain Attack

A long-lived NPM access token was used to bypass the GitHub Actions OIDC-based CI/CD publishing workflow and push backdoored package versions. The post Axios NPM Package Breached in North Korean Supply Chain Attack appeared first on SecurityWeek .

SecurityWeek