Cleo managed file transfer products (Harmony, VLTrader, LexiCom) are the confirmed initial access vector in a multi-actor critical infrastructure targeting campaign involving state-sponsored actors, hacktivists, and ransomware operators including Cl0p. CVE-2024-55956 enables unauthenticated RCE via the autorun directory and CVE-2024-50623 allows unrestricted file upload; both have been actively exploited with post-exploitation activity including lateral movement into OT/ICS segments. Unpatched Cleo instances should be immediately isolated from external access and OT networks, with full patching and credential rotation before reconnection.