A critical zero-day vulnerability in Cleo's managed file transfer software is being actively exploited by hackers to breach corporate networks and steal data. The flaw affects Cleo LexiCom, VLTrader, and Harmony products, allowing unrestricted file upload and downloads leading to remote code execution. It bypasses a previous fix for CVE-2024-50623. Exploitation began on December 3, 2024, with a significant increase on December 8. The attacks involve writing malicious files into the 'autorun' directory, which are then processed automatically, executing PowerShell commands and downloading additional payloads. At least ten organizations have been impacted, with 390 potentially vulnerable servers identified globally. Users are advised to take immediate mitigation steps, including moving exposed systems behind firewalls and disabling the autorun feature.