A severe security breach has been discovered in Cleo’s managed file transfer products, affecting their LexiCom, VLTrader, and Harmony software solutions. The vulnerability (CVE-2023-34362) enables remote code execution and is currently being exploited by hackers to steal corporate data.
Impact and Scope:
– Affects versions 5.8.0.21 and earlier
– Bypasses previous security fix (CVE-2024-50623)
– Impacts 4,000 companies worldwide, including major retailers and logistics firms
– 390 vulnerable servers identified globally, with 298 located in the US
Attack Details:
– Exploitation began December 3, 2024, with increased activity from December 8
– Attackers utilize malicious files named ‘healthchecktemplate.txt’ or ‘healthcheck.txt’
– PowerShell commands are executed to download additional payloads
– Attacks linked to IP addresses across multiple countries including US, Canada, Netherlands
– Potentially connected to the Termite ransomware group
Immediate Mitigation Steps:
1. Move internet-exposed systems behind firewalls
2. Disable autorun feature
3. Monitor suspicious TXT and XML files in installation directories
4. Review logs for unauthorized PowerShell executions
Current Status:
– At least ten organizations confirmed affected
– Cleo plans to release a security update within the week
– Existing patch (version 5.8.0.21) proves ineffective against attacks
Organizations using Cleo products are strongly advised to implement security measures immediately while awaiting the official patch.