Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Cleo File Transfer Tool Vulnerability Exploited in Wild Against Enterprises

CVE-2024-50623, an improperly patched vulnerability affecting Cleo file transfer tools, has been exploited in the wild.

Cleo vulnerability exploited

Cybersecurity firm Huntress warned on Monday that an improperly patched vulnerability affecting several file transfer products from enterprise software maker Cleo has been exploited in the wild for at least the past week.

Cleo is an Illinois-based company that provides supply chain and B2B integration solutions to more than 4,200 organizations. 

The firm informed customers in late October that it had patched an unrestricted file upload/download issue that could lead to remote code execution. The vulnerability, tracked as CVE-2024-50623, impacts Cleo Harmony, VLTrader, and LexiCom file transfer products, and it was supposed to be fixed with the release of version 5.8.0.21.

However, Huntress determined that version 5.8.0.21 has failed to properly patch CVE-2024-50623, and discovered that threat actors have been exploiting the vulnerability in the wild. 

The security firm has observed the attackers establishing persistence on compromised systems, conducting reconnaissance, and trying to remain stealthy, among other, unspecified “post-exploitation activities”. 

The incident is reminiscent of the MOVEit hack campaign. When cybercriminals discovered a zero-day in Progress Software’s MOVEit file transfer software a few years ago, they exploited it to steal vast amounts of information from thousands of organizations that had been using the product.  

Huntress said at least 10 businesses had their Cleo servers compromised through the exploitation of CVE-2024-50623, with attack attempts seen against roughly 1,700 servers. Exploitation appears to have started as early as December 3, with a surge in attacks seen on December 8. 

“The majority of customers that we saw compromised deal with consumer products, food industry, trucking, and shipping industries,” the company said. 

Advertisement. Scroll to continue reading.

Rapid7 has also confirmed seeing attacks involving exploitation of CVE-2024-50623, noting that “similar to Huntress, our team has observed enumeration and post-exploitation activity and is investigating multiple incidents”.

A Shodan search shows hundreds of internet-exposed Cleo product instances running a vulnerable version. 

Huntress has not shared any information on who may be behind these attacks, but it has shared indicators of compromise (IoCs) that can help defenders detect and block attacks. It has also provided some recommendations for preventing exploitation. 

SecurityWeek has reached out to Cleo for comment and will update this article if the company responds. 

Cleo does appear to have updated its advisory a few hours ago with a link pointing to mitigation recommendations, but the document is only available to logged-in users.

Huntress reported that Cleo is working on a new patch, which it expects to release mid-week. A new CVE identifier will also be assigned. 

Related: Microsoft Patches Exploited Vulnerability in Partner Network Website

Related: CISA Warns of Zyxel Firewall Vulnerability Exploited in Attacks

Related: ‘SlashAndGrab’ ScreenConnect Vulnerability Widely Exploited for Malware Delivery

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.