Threat Actors Exploit Flaw in Cleo File Transfer Tools ‘En Masse’

UPDATE - Threat actors are exploiting a remote code execution vulnerability (CVE-2024-50623) in several file transfer tools from enterprise software firm Cleo. While Cleo initially issued a patch for the flaw and told customers to update to the fixed version, version 5.8.0.21, researchers with Huntress this week found that version 5.8.0.21 is still vulnerable to exploitation. On Wednesday evening, Cleo issued a new patch in version 5.8.0.24, which addresses the security flaw.

“This vulnerability is being actively exploited in the wild and fully patched systems running 5.8.0.21 are still exploitable,” according to Huntress researchers in a Monday blog post. “We strongly recommend you move any internet-exposed Cleo systems behind a firewall until a new patch is released.”

Key Details: 

• CVE-2024-50623 is an unrestricted file upload and download flaw that enables unauthenticated remote code execution 

• The flaw exists in three Cleo file transfer products: Harmony, which is designed for large enterprise file transfer functionalities, VLTrader, which is a server-side application for mid-enterprise organizations, and LexiCom, a desktop-level tool for communications with “major trading networks”

• According to Huntress, CVE-2024-50623 was first disclosed in October, and the exploitation stems from an incomplete patch for the flaw

• Huntress researchers said that all versions of Harmony, VLTrader and LexiCom prior to, and including, version 5.8.0.21 are vulnerable. As of Wednesday a patch is available in version 5.8.0.24

The Exploitation: Researchers from Huntress (as well as other firms like Rapid7) have observed widespread exploitation of the flaw throughout their customer environments, with the earliest evidence of exploitation on Dec. 3. Huntress researchers found at least 10 businesses with compromised Cleo servers. Cleo has more than 4,200 customers across several vertical markets, and a search on Shodan, a search engine for Internet-connected devices, reveals several hundred more publicly available and vulnerable servers in the U.S.

“The majority of customers that we saw compromised deal with consumer products, food industry, trucking, and shipping industries,” said Huntress researchers. “There are still several other companies outside of our immediate view who are potentially compromised as well.”

Huntress researchers described several post-exploitation characteristics of the attacks they observed. Threat actors have been enumerating possible Active Directory assets with domain reconnaissance tools (like nltest.exe, for instance) and dropping (and later deleting) JAR files with webshell-like functionalities for persistence on targeted endpoints. 

What to Do: Given the fact that version 5.8.0.21 is still vulnerable, Huntress researchers suggested that businesses implement several mitigations to limit the attack surface. Customers should remove impacted products from the public internet and make sure they’re behind a firewall, according to researchers. Another mitigation is to reconfigure the software to disable the Autorun directory, since the attack path observed uses code execution via this directory. 

“However, this will not prevent the arbitrary file-write vulnerability until a patch is released,” said researchers.

Vendor Response: On Wednesday, after issuing an updated patch, a Cleo spokesperson gave the following statement to Vulnerable U Newsroom:

“On December 11, 2024, Cleo released a new security patch to address the previously disclosed critical vulnerability in instances of Cleo Harmony, VLTrader, and LexiCom products. Cleo strongly recommends customers apply the available patch immediately.

Promptly upon discovering the vulnerability, Cleo launched an investigation with the assistance of outside cybersecurity experts, notified customers of the issue and provided instructions on immediate actions customers should take to address the vulnerability. Cleo continues to work proactively to support customers and has extended enhanced 24/7 customer support services to those needing additional technical assistance in addressing this vulnerability. Cleo’s investigation is ongoing. Customers are encouraged to check Cleo’s security bulletin webpage regularly for updates.”

Huntress researchers also said they have connected with Cleo representatives, who said that they will have a new patch available as soon as possible. As of Tuesday morning, a patch is not yet available, but Cleo has updated its security advisory to include a link to mitigation resources.

The Big Picture: We’ve seen several vulnerabilities in file transfer tools being exploited over the past few years, including one in Progress Software’s MOVEit software. These products contain massive amounts of data from various companies, widening the attack net for threat actors and making them lucrative targets. 

This article was updated on Dec. 12 at 9am ET to reflect that Cleo has now issued a revised patch.