Cleo vulnerability: Kellogg’s company reports data theft

WK Kellogg has confirmed a data breach in which sensitive employee data was compromised by exploiting a vulnerability in its Cleo file transfer software.

According to a report filed with the Maine Attorney General’s Office on April 4, 2025, attackers gained unauthorized access to personnel files transmitted via Cleo servers on December 7, 2024. The Michigan-based breakfast cereal maker said it first discovered the incident on February 27 and has since begun notifying affected individuals by mail.

The full scope of the incident is still unclear. It is confirmed that at least one employee in Maine is affected, whose name and social security number have been compromised.

Known vulnerabilities exploited

The attackers exploited known vulnerabilities in Cleo’s file transfer products Harmony, VLTrader and LexiCom. A vulnerability registered as CVE-2024-50623 allowed unrestricted file uploads and downloads. Although Cleo had already released a patch in October 2024, security researchers later discovered that it did not provide complete protection against intruders.

In December, a second vulnerability (CVE-2024-55956) was discovered that allows unauthenticated users to execute arbitrary bash or PowerShell commands – a dangerous gateway for malware.

Clop ransomware group under suspicion

Sicherheitsfirmen wie Arctic Wolf und Mandiant (via Infosecurity Magazine) bringen den Angriff mit einer breiteren Kampagne in Verbindung, die auf Organisationen abzielt, die Cleo-Produkte verwenden. Die Clop-Ransomware-Gruppe steht im Verdacht, für den Angriff verantwortlich zu sein. Im Februar tauchte WK Kellogg auf der Dark-Web-Leak-Seite von Clop auf, was Druck auf das Unternehmen ausübte, zu reagieren.

WK Kellogg confirmed that Cleo servers were used to transfer personnel data to HR service providers. It was precisely these transfers that were the target of the attack.

Das Unternehmen hat damit begonnen, betroffenen Personen ein kostenloses einjähriges Paket zum Schutz vor Identitätsdiebstahl anzubieten, das Kreditüberwachung und Unterstützung bei Betrug umfasst.