Critical Zero-Day Flaw in Cleo Software Actively Exploited for Data Theft

Critical Zero-Day Flaw in Cleo Software Actively Exploited for Data Theft

Cleo Security Breach: Zero-Day Vulnerability Exploited in Data Theft Attacks

Cleo has issued critical security updates addressing a zero-day vulnerability affecting their LexiCom, VLTransfer, and Harmony software products. The flaw, initially patched in October (CVE-2024-50623), has been circumvented by attackers who discovered a bypass method targeting the software’s Autorun folder settings.

Security researchers at Huntress identified attack patterns beginning December 3, with increased activity observed on December 8. The vulnerability enables attackers to execute unauthorized bash or PowerShell commands, potentially leading to data theft. The attacks have been linked to the Termite ransomware group, known for their recent breach of Blue Yonder.

Impact and Exposure:
– 421 Cleo servers identified worldwide via Shodan
– 327 servers located in the United States
– Additional research revealed 743 accessible servers globally

Security Response:
– Cleo has released version 5.8.0.24 to address the vulnerability
– Customers are urged to upgrade immediately
– Temporary mitigation available through disabling Autorun feature

Attack Details:
– Attackers deploy Malichus malware, a Java-based post-exploitation framework
– Primarily targeting Windows systems
– Capabilities include file transfers, command execution, and network communication

Current Impact:
– At least ten companies confirmed compromised
– Over 50 Cleo hosts show compromise indicators
– Majority of affected organizations are U.S.-based retail companies

The attack pattern mirrors previous data theft campaigns targeting managed file transfer systems, including MOVEit Transfer, GoAnywhere MFT, and Accellion FTA incidents.

Share This Article