Software company Cleo has issued an urgent warning to customers, urging them to immediately apply a new patch for a critical vulnerability actively exploited by cybercriminals. The flaw, initially identified as CVE-2024-50623, affects Cleo’s widely used file-sharing solutions: Harmony, VLTrader, and LexiCom.
The bug was first addressed with a patch in October. However, researchers at cybersecurity firm Huntress found that systems remained vulnerable even after applying the initial fix. On Wednesday night, Cleo rolled out a new patch to address the issue and confirmed that a new CVE is in the process of being assigned.
“Cleo continues to work proactively to support customers and has extended enhanced 24/7 customer support services to those needing additional technical assistance,” a Cleo spokesperson stated. “Promptly upon discovering the vulnerability, Cleo launched an investigation, notified customers, and provided immediate mitigation steps.”
Malware Deployment and Exploitation
Huntress researcher John Hammond revealed that compromised organizations monitored by the firm have grown to 24, with most victims operating in consumer goods, shipping, and retail supply sectors. Hammond’s team uncovered a new malware family, dubbed Malichus, deployed by hackers exploiting the Cleo bug.
“The attackers are sophisticated, demonstrating intimate knowledge of Cleo software and deploying a clever, complex attack,” Hammond explained. He further noted that Blue Yonder, the software company recently struck by a pre-Thanksgiving ransomware attack, had instances of Cleo software exposed to the internet. The attack, credited to the Termite ransomware gang, disrupted operations for retailers like Starbucks.
A Link to Clop?
Cybersecurity firms Arctic Wolf Labs and Watchtowr have observed mass exploitation campaigns of Cleo’s Managed File Transfer (MFT) products, starting December 7. The Termite ransomware gang is widely believed to be behind these attacks, with growing suspicions of a link to the notorious Clop ransomware group.
Hammond theorized, “There’s some data suggesting Termite may have ties to Clop. Clop’s activity has declined while Termite’s presence has surged. Their tactics are also similar. While attribution remains speculative, this could indicate a strategic shift among ransomware groups.”
Ongoing Risks and Widespread Exposure
A Shodan search revealed approximately 160 Cleo endpoints remain exposed, despite widespread advisories. Hammond emphasized that malicious activity currently focuses on gaining initial access, establishing persistence, and conducting network reconnaissance. Thankfully, no evidence of ransomware deployment or significant data theft has emerged yet.
Rapid7’s threat analytics team, which analyzed the same malware samples, corroborated Huntress’ findings. “The attacks align with typical reconnaissance behavior and are too generic to conclusively attribute to a specific threat group,” said Christiaan Beek, Rapid7’s senior director of threat analytics.
Sophos and other cybersecurity firms reported that most affected organizations operate in North America, primarily the United States, with a strong concentration in the retail industry.
Scott Algeier, executive director of the Food and Agriculture ISAC, confirmed they are closely monitoring the situation. “Some enterprises in the food sector could be impacted, but we’ve seen no indications of widespread supply chain disruptions so far.”
Immediate Mitigation Steps
Cleo has privately advised customers to apply the latest patch without delay and block specific IP addresses associated with ongoing exploitation. Organizations using Harmony, VLTrader, or LexiCom—particularly those handling large-scale enterprise data transfers—are strongly urged to secure their systems.
With the vulnerability being actively exploited and ransomware gangs circling, time is critical. The Cleo situation underscores the ongoing threats posed by vulnerabilities in enterprise file-sharing software and the sophisticated actors exploiting them.
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
