Cl0p Mass Exploits Cleo File Transfer Zero-Day — 600+ Organizations Hit

Sunday, March 22, 2026 at 11:00 AM UTC·Source: Huntress / Cleo Advisory

Updated: Monday, March 23, 2026 at 09:00 AM UTC

Executive Summary

Cl0p launches fourth major file transfer campaign exploiting Cleo Harmony, VLTrader, and LexiCom zero-day. Systematic data exfiltration ongoing.

Analysis

CVE-2026-27891 is a deserialization flaw in Cleo products allowing unauthenticated RCE. Huntress detected exploitation March 18. Over 600 organizations compromised. This is Cl0p fourth file transfer campaign after Accellion, GoAnywhere, and MOVEit.

Timeline

Discovered

Mar 18, 2026

Exploitation Detected

Mar 18, 2026

Published

Mar 22, 2026

Patch Available

Mar 21, 2026

Indicators of Compromise (1)

CVE (1)

CVE-2026-27891

NVD MITRE CVE

Source Attribution

Originally published by Huntress / Cleo Advisory on Mar 22, 2026. Verified by: Huntress, CISA, Cleo.

Related Threats

MEDIUMSupply Chain

The npm Threat Landscape: Attack Surface and Mitigations (Updated May 20)

Unit 42 analyzes npm supply chain evolution post-Shai Hulud. Discover wormable malware, CI/CD persistence, multi-stage attacks and more. The post The npm Threat Landscape: Attack Surface and Mitigations (Updated May 20) appeared first on Unit 42 .

1h agoUnit 42 (Palo Alto)

LOWSupply Chain

GitHub admits major source code leak after 3,800 internal repositories breached

Microsoft’s GitHub has suffered what appears to be its biggest ever security breach after confirming that attackers exfiltrated code from around 3,800 of the company’s internal repositories. News of the incident first emerged on May 19, when GitHub said it was investigating “unauthorized access.” Hours later, the company’s X account confirmed the worst: “Yesterday we detected and contained a compr

5h agoCSO Online

MEDIUMSupply Chain

Mini Shai-Hulud Hits Hundreds of npm Packages in AntV Ecosystem

Mini Shai-Hulud worm hits Alibaba AntV ecosystem in largest npm supply chain wave to date

6h agoInfosecurity Magazine