Cybersecurity experts are sounding the alarm after discovering widespread exploitation of a critical vulnerability in Cleo-managed file transfer software, affecting even fully patched systems. Users are urged to secure their instances and avoid exposing them to the internet as threat actors intensify their attacks.
What’s Happening?
On December 3, 2024, cybersecurity firm Huntress detected active exploitation targeting Cleo’s popular file transfer tools, including LexiCom, VLTrader, and Harmony. The vulnerability, tracked as CVE-2024-50623, stems from an unauthenticated remote code execution (RCE) flaw linked to an unrestricted file upload weakness. This flaw enables attackers to execute arbitrary code, putting businesses at serious risk of data breaches and ransomware attacks.
Vulnerable Products and Versions
The following Cleo products and versions are affected:
- Cleo Harmony (up to version 5.8.0.23)
- Cleo VLTrader (up to version 5.8.0.23)
- Cleo LexiCom (up to version 5.8.0.23)
Cleo has acknowledged the issue and plans to release a patch later this week. However, cybersecurity researchers warn that the current patches may not fully mitigate the underlying flaw. Organizations are strongly advised to apply all available updates and follow recommended mitigations.
How the Exploit Works
Huntress revealed that attackers are exploiting the vulnerability to deploy multiple malicious files. This includes an XML file embedded with a PowerShell command, designed to download a Java Archive (JAR) file from a remote server.
The attack leverages the software’s “autorun” directory, a sub-folder within the installation path. Any files dropped into this directory are automatically read, interpreted, and executed by the vulnerable software.
Exploitation Timeline:
- First Detected: December 3, 2024
- Major Exploitation Surge: December 8, 2024 (7 a.m. UTC)
At least 10 businesses have confirmed breaches, including consumer product companies, logistics and shipping organizations, and food suppliers.
Threat Actors Involved
Security researchers believe ransomware gangs such as Cl0p (aka Lace Tempest) are behind the attacks. These groups have a track record of targeting managed file transfer tools.
According to cybersecurity researcher Kevin Beaumont, “Termite ransomware group operators (and possibly other groups) have a zero-day exploit for Cleo LexiCom, VLTrader, and Harmony.”
Further investigations by Rapid7 confirmed successful exploitation in customer environments. Broadcom’s Symantec Threat Hunter Team linked the attacks to a modified version of Babuk ransomware, which appends a .termite file extension after encrypting victims’ data.
Recommendations
To reduce the risk of compromise, organizations using Cleo-managed file transfer software should take the following immediate actions:
1. Secure Your Servers:
- Ensure that Cleo instances are not exposed to the internet. Use firewalls and VPNs for access control.
2. Apply Available Patches:
- Regularly check for patches from Cleo and apply them immediately upon release.
3. Review Directory Permissions:
- Audit file upload directories such as “autorun” and disable automatic execution features where possible.
4. Monitor for Indicators of Compromise (IOCs):
- Look for suspicious PowerShell commands or unexpected file uploads in installation directories.
5. Enable Endpoint Protection:
- Deploy advanced endpoint security solutions with behavior-based detection capabilities.
6. Conduct Security Audits:
- Perform regular vulnerability scans and penetration tests to uncover potential security gaps.
Summary
As attacks continue to escalate, Cleo users should brace for potential disruptions and data breaches. The vulnerability’s critical nature underscores the importance of robust patch management, proactive monitoring, and secure file transfer practices.
Staying ahead of these evolving threats requires continuous updates, vigilant threat hunting, and adherence to industry-recommended security protocols.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : AI Security Alert: Prompt Injection Flaws Exposed in DeepSeek and Claude AI
“Great content, learned a lot from this post!”