Cybersecurity researchers are raising alarms about vulnerabilities in several file transfer products from Cleo, which are being actively exploited by hackers despite a recent patch release.
Vulnerability Details
The vulnerability, identified as CVE-2024-50623, affects Cleo’s LexiCom, VLTransfer, and Harmony products. While the developer released a patch to address the issue, cybersecurity firm Huntress reported that the patch, version 5.8.0.21, “does not mitigate the software flaw.” Threat actors have been exploiting the vulnerability “en masse” over the past week, according to Huntress.
“This vulnerability is being actively exploited in the wild, and fully patched systems running 5.8.0.21 are still exploitable,” Huntress warned. “We strongly recommend you move any internet-exposed Cleo systems behind a firewall until a new patch is released.”
Cleo’s Response
A spokesperson for Cleo acknowledged the vulnerability in their Harmony, VLTrader, and LexiCom products.
“Promptly upon discovering the vulnerability, we launched an investigation with the assistance of outside cybersecurity experts, notified customers of this issue, and provided mitigation steps customers should immediately take to address the vulnerability while a patch is under development,” the spokesperson stated. “Our investigation is ongoing. Customers are encouraged to check Cleo’s security bulletin webpage regularly for updates.”
Active Exploitation
Huntress incident responders have observed at least 10 businesses using Cleo products that have been compromised. Exploitation activities reportedly surged on December 8, though evidence suggests initial exploitation began as early as December 3. The majority of affected customers operate in the consumer products, food, trucking, and shipping industries.
“There are still several other companies outside of our immediate view who are potentially compromised as well,” Huntress said.
Huntress has collaborated with Cleo to share its findings, confirming that the company is developing a new CVE patch expected to be released midweek. Huntress also published detailed technical guidance to help incident responders identify evidence of exploitation.
Additional Expert Insights
Cybersecurity expert Kevin Beaumont highlighted that Cleo initially published a paywalled advisory for customers before making a limited public version available on Tuesday. Beaumont also noted that the Termite ransomware group has been observed exploiting the vulnerability. Termite recently gained attention for attacking a prominent software company serving major retailers.
Incident responders from Rapid7 confirmed Huntress’ findings, observing exploitation of the vulnerability in their customers’ environments.
Broader Context
File transfer tools have increasingly become prime targets for hackers. Many of the most significant data theft campaigns in recent years have been traced back to vulnerabilities in popular products like MOVEit, GoAnywhere, and Accellion. The ongoing exploitation of Cleo’s products underscores the importance of timely patches and robust security practices to mitigate risk.
Recommendations
Organizations using Cleo products should:
- Immediately move any internet-exposed systems behind a firewall.
- Monitor Cleo’s security bulletins for updates and patch availability.
- Conduct thorough assessments to detect signs of compromise.
- Implement additional network monitoring tools to identify suspicious activity.
As attackers continue to exploit vulnerabilities in file transfer tools, it is critical for organizations to remain vigilant and proactive in securing their systems.
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
