Zero Day in Cleo File Transfer Software Exploited En Masse

Written by

Security researchers have warned customers of the popular file transfer software vendor Cleo that a zero-day vulnerability is currently being exploited in the wild to steal their data.

Security vendor Huntress was the first to publicize the attacks on Monday, claiming that the remote code execution (RCE) bug CVE-2024-50623 affects the Cleo Harmony, VLTrader and LexiCom products.

It apparently stems from an incomplete vendor patch released in October that the threat actors were able to bypass.

“From our telemetry, we’ve discovered at least 10 businesses whose Cleo servers were compromised with a notable uptick in exploitation observed on December 8 around 07:00 UTC. After some initial analysis, however, we have found evidence of exploitation as early as December 3,” said Huntress.

“The majority of customers that we saw compromised deal with consumer products, food industry, trucking, and shipping industries. There are still several other companies outside of our immediate view who are potentially compromised as well.”

Read more on attacks on file transfer software: Clop Ransomware Group Exploits GoAnywhere MFT Flaw

Cleo released an advisory on Tuesday, urging customers to upgrade to the latest product version (5.8.0.21) “to address additional discovered potential attack vectors of the vulnerability.” However, Huntress claimed that even this patch was “insufficient” against exploits it saw in the wild.

Cleo’s latest communication, issued soon after, noted that products up to version 5.8.0.23 are affected. It features a link for customers so they can take “immediate action” to mitigate the flaw.

“Cleo has identified an unauthenticated malicious hosts vulnerability (CVE pending) that could lead to remote code execution,” it stated.

At the time of writing, a patch had not been released by the vendor for this new exploit, but one is thought to be pending.

Urgent Action Required

Rapid7 advised Cleo customers to remove affected products from the public internet and ensure they are put behind a firewall.

“Per Huntress’s investigation, disabling Cleo’s Autorun Directory, which allows command files to be automatically processed, may also prevent the latter part of the attack chain from being executed,” it added.

“Huntress’s blog has several descriptions of post-exploitation activity, including attack chain artifacts, commands run and files dropped for persistence. Rapid7 recommends that affected customers review these indicators and investigate their environments for suspicious activity dating back to at least December 3 2024.”

The campaign has echoes of previous efforts by the notorious Clop cybercrime group, which targeted managed file transfer software products from MOVEit, GoAnywhere and Accellion FTA with zero-day exploits, in order to steal and hold customer data to ransom.

Unconfirmed reports suggest that, this time around, the Termite group – previously responsible for an attack on Blue Yonder – may be behind the zero-day campaign.

What’s hot on Infosecurity Magazine?