Cleo File Transfer Tool Vulnerability Exploited in Wild Against Enterprises

1 week ago 9
News Banner

Looking for an Interim or Fractional CTO to support your business?

Read more

Cybersecurity firm Huntress warned on Monday that an improperly patched vulnerability affecting several file transfer products from enterprise software maker Cleo has been exploited in the wild for at least the past week.

Cleo is an Illinois-based company that provides supply chain and B2B integration solutions to more than 4,200 organizations. 

The firm informed customers in late October that it had patched an unrestricted file upload/download issue that could lead to remote code execution. The vulnerability, tracked as CVE-2024-50623, impacts Cleo Harmony, VLTrader, and LexiCom file transfer products, and it was supposed to be fixed with the release of version 5.8.0.21.

However, Huntress determined that version 5.8.0.21 has failed to properly patch CVE-2024-50623, and discovered that threat actors have been exploiting the vulnerability in the wild. 

The security firm has observed the attackers establishing persistence on compromised systems, conducting reconnaissance, and trying to remain stealthy, among other, unspecified “post-exploitation activities”. 

The incident is reminiscent of the MOVEit hack campaign. When cybercriminals discovered a zero-day in Progress Software’s MOVEit file transfer software a few years ago, they exploited it to steal vast amounts of information from thousands of organizations that had been using the product.  

Huntress said at least 10 businesses had their Cleo servers compromised through the exploitation of CVE-2024-50623, with attack attempts seen against roughly 1,700 servers. Exploitation appears to have started as early as December 3, with a surge in attacks seen on December 8. 

“The majority of customers that we saw compromised deal with consumer products, food industry, trucking, and shipping industries,” the company said. 

Advertisement. Scroll to continue reading.

Rapid7 has also confirmed seeing attacks involving exploitation of CVE-2024-50623, noting that “similar to Huntress, our team has observed enumeration and post-exploitation activity and is investigating multiple incidents”.

A Shodan search shows hundreds of internet-exposed Cleo product instances running a vulnerable version. 

Huntress has not shared any information on who may be behind these attacks, but it has shared indicators of compromise (IoCs) that can help defenders detect and block attacks. It has also provided some recommendations for preventing exploitation. 

SecurityWeek has reached out to Cleo for comment and will update this article if the company responds. 

Cleo does appear to have updated its advisory a few hours ago with a link pointing to mitigation recommendations, but the document is only available to logged-in users.

Huntress reported that Cleo is working on a new patch, which it expects to release mid-week. A new CVE identifier will also be assigned. 

Related: Microsoft Patches Exploited Vulnerability in Partner Network Website

Related: CISA Warns of Zyxel Firewall Vulnerability Exploited in Attacks

Related: ‘SlashAndGrab’ ScreenConnect Vulnerability Widely Exploited for Malware Delivery

Read Entire Article