Dive Brief:
- A critical zero-day vulnerability in Cleo file-transfer software is under active exploitation, about six weeks after the company issued an advisory for a previously disclosed CVE, researchers said Monday.
- The company warned in late October about an unrestricted file upload and download vulnerability, listed as CVE-2024-50623, which could lead to remote code execution. Yet, researchers from Huntress on Monday said they are seeing mass exploitation of Cleo products and said a patch issued by the company is not providing adequate protection for the flaw.
- After conferring with researchers, Cleo said it plans to release a new CVE designation for a critical vulnerability in Cleo Harmony, Cleo VLTrader and LexiCom products.
Dive Insight:
Researchers from Huntress said they observed mass exploitation and post-exploitation activity linked to a vulnerability in Cleo Harmony, VLTrader and LexiCom starting on Dec. 3. The company in October warned the vulnerability involved versions of Harmony, VLTrader and Lexicom prior to versions 5.8.0.21 and issued a patch.
On Monday, Huntress researchers said they have observed exploitation of CVE-2024-50623 in prior versions of the software as well as fully patched instances.
“Huntress observed this in-the-wild tradecraft, and subsequently recreated a proof of concept that we believe matches what the threat actors are using to exploit this,” John Hammond, principal security researcher at Huntress, said Tuesday via email. “With that said, since we don't know the full technical details of CVE-2024-50623, we don't know if threat actors were exploiting that specific vulnerability, or executing an entirely new attack vector (since it did successfully compromise patched versions).”
Hammond said researchers spoke with Cleo and the company confirmed they would release a new CVE and a new patch sometime this week. A spokesperson for Cleo did not comment on any specific deliberations, but confirmed a new patch is under development and a new CVE is pending.
Huntress said it initially found at least 10 companies that were compromised, mostly in the consumer products, food industry, trucking and shipping industries. Other companies that were not visible to Huntress were found to be potentially compromised.
Researchers from Rapid7 confirmed mass exploitation is underway, referencing a social media post from security researcher Kevin Beaumont which shows Cleo has contacted customers overnight warning of a critical vulnerability that allows unauthenticated users to import and execute arbitrary bash or PowerShell commands.
Researchers from Censys found 1,342 exposed instances of Harmony, VLTrader and LexiCom were visible online, according to a Tuesday blog post. Of the exposed instances, nearly eight in 10 were in the U.S.
Editor’s note: This story has been updated to include Censys research on the vulnerability.
