Cleo File Transfer Vulnerability Exploited in Wild

A Cleo file transfer vulnerability is causing serious concern as attackers exploit it in the wild, targeting businesses across various industries. Tracked as CVE-2024-50623, this improperly patched flaw affects Cleo’s popular file transfer tools, including Harmony, VLTrader, and LexiCom.

Despite an earlier attempt to fix the issue, attackers have bypassed the patch, leading to widespread exploitation.

Key Takeaway to Cleo File Transfer Vulnerability:

Businesses using Cleo file transfer tools must update their systems immediately to avoid falling victim to ongoing attacks.

The Cleo File Transfer Vulnerability: An Overview

Cleo, an Illinois-based company providing supply chain and B2B integration solutions, supports over 4,200 organizations globally.

In late October, the company released version 5.8.0.21 to fix a critical unrestricted file upload/download vulnerability that could enable remote code execution.

However, cybersecurity firm Huntress discovered that this patch failed to address the issue, leaving systems exposed to active exploitation.

Details of CVE-2024-50623

Exploitation in the Wild

Attackers have been targeting vulnerable Cleo servers since December 3, with a spike in incidents noted on December 8. So far, at least 10 businesses have been compromised, with attack attempts observed on nearly 1,700 servers.

Huntress reported that attackers use these vulnerabilities to:

• Establish persistence on compromised systems.
• Conduct reconnaissance to understand the network.
• Execute stealthy post-exploitation activities.

Industries Affected

According to Huntress, businesses in the following sectors are the most impacted:

Lessons from the MOVEit Hack

This situation is reminiscent of the MOVEit hack campaign, where cybercriminals exploited a zero-day vulnerability in Progress Software’s file transfer tool to steal sensitive data from thousands of organizations.

That attack serves as a cautionary tale about the dangers of unpatched vulnerabilities in file transfer systems.

Shodan Insights: Exposed Systems

A Shodan search reveals hundreds of internet-exposed Cleo product instances still running vulnerable versions. This underscores the urgent need for organizations to secure their systems by applying Cleo’s forthcoming patch.

Huntress and Rapid7 Sound the Alarm

Both Huntress and Rapid7 have confirmed active exploitation of the Cleo file transfer vulnerability. Rapid7 observed similar enumeration and post-exploitation activity across multiple incidents and is actively investigating.

Recommendations from Huntress

Huntress shared Indicators of Compromise (IoCs) to help defenders detect and block attacks. While Cleo has updated its advisory with mitigation recommendations, the document is restricted to logged-in users on the Cleo website.

Rounding Up

The Cleo file transfer vulnerability highlights the critical need for robust software patching and timely updates. Businesses relying on Cleo’s tools must prioritize securing their systems to prevent unauthorized access and potential data breaches. With attacks escalating, cybersecurity diligence is more important than ever.

Organizations should monitor Cleo’s website for the latest patches and stay informed about evolving threats to protect their operations.

About Cleo

Cleo is a global leader in cloud-based integration solutions, specializing in supply chain management and B2B data exchange. Its flagship products, including Harmony, VLTrader, and LexiCom, are widely used for secure file transfers in enterprise environments.

FAQs