Skip to main content
close search
site logo

Cleo releases new patch as threat groups ramp up exploitation of critical CVE

Researchers warned that companies primarily in the trucking, food, retail and shipping industries were under attack.

Published Dec. 12, 2024
David Jones's headshot
Reporter
cybersecurity, matrix, abstract
iStock / Getty Images Plus via Getty Images

Cleo released a new patch Wednesday to address a critical CVE and an actively exploited zero-day vulnerability that security researchers say have been under active exploitation by hackers since last week. 

The file transfer software firm originally issued a patch in October to address an unrestricted file upload and download vulnerability identified as CVE-2024-50623, however that was found to not provide adequate protection. 

Cleo said a newly discovered vulnerability can allow an unauthenticated user to import and execute arbitrary bash or PowerShell commands. The vulnerability impacts Cleo Harmony, VLTrader and LexiCom file transfer products up to versions 5.8.0.24.

The company is still working on a new CVE designation, but described the vulnerability as critical. 

“Cleo continues to work proactively to support customers and has extended enhanced 24/7 customer support services to those needing additional technical assistance in addressing the vulnerability,” the company said in a statement. 

Cleo has published very limited information publicly, but the company said it has been communicating with customers directly for several days. 

Researchers from Huntress first disclosed the exploitation and raised concerns about the patch in a blog post Monday. They had seen active exploitation dating back to Dec. 3. 

Huntress warned users of the file-transfer software to disconnect from the public facing internet until a secure patch was available. 

Huntress Principal Security Researcher John Hammond on Wednesday said the newly issued patch appears to provide protection against a proof of concept exploit developed by the research firm.  

“The current 5.8.0.24 patch is enough to protect Cleo customers from both the old and the new vulnerability,” Hammond told Cybersecurity Dive via email Thursday.

Now that the security update is available, Cleo customers should patch their systems as soon as possible, he added.

Huntress initially found at least 10 organizations infected, however researchers say that number has since grown. Targeted companies include consumer products, food industry, trucking and shipping.

Researchers at Rapid7 are also investigating multiple incidents and have observed enumeration and post-exploitation activity. Sophos said nearly all affected customers have a branch operating within North America. A majority of the targeted companies are retail organizations, Sophos said in a social media post on Tuesday. 

The Food and Agriculture ISAC is sharing intelligence with member organizations and urged companies to review their data backup strategies, patch management, email filtering and endpoint protection, Director Jonathan Braley said.

Editors' picks

Company Announcements

View all | Post a press release
American Trust Retirement Data Breach Investigation
From Migliaccio and Rathod LLP
January 07, 2025
Excelsior Orthopaedics Data Breach Investigation
From Migliaccio and Rathod LLP
January 08, 2025
Medusind Data Breach Investigation
From Migliaccio and Rathod LLP
January 08, 2025
Editors' picks
Latest in Vulnerability
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.