A severe security vulnerability affecting Cleo’s managed file transfer software products is currently under active exploitation. The flaw, tracked as CVE-2024-50623, allows unauthorized remote code execution through unrestricted file uploads.
Affected Products:
– Cleo Harmony (versions up to 5.8.0.23)
– Cleo VLTrader (versions up to 5.8.0.23)
– Cleo LexiCom (versions up to 5.8.0.23)
Attack Details:
Cybersecurity firm Huntress discovered mass exploitation beginning December 3, 2024, with a significant spike in attacks on December 8. The vulnerability enables attackers to:
– Drop malicious files in the “autorun” directory
– Execute PowerShell commands
– Deploy harmful Java Archive (JAR) files
Impact:
– At least 10 businesses compromised
– Affected sectors include consumer products, logistics, shipping, and food suppliers
– Termite ransomware group identified as primary threat actor
– Possible connection to previous Cl0p ransomware campaigns
Security Response:
– Cleo has acknowledged the vulnerability
– Initial patches for CVE-2024-50623 proved insufficient
– Additional security advisory pending for a related vulnerability
– New patches expected this week
Recommendations:
Organizations using Cleo products should:
– Immediately check for internet exposure
– Apply security updates when available
– Monitor systems for suspicious activity
– Implement additional security measures
The situation remains active with multiple cybersecurity firms, including Rapid7 and Symantec, confirming ongoing exploitation attempts.