What is CVE-2024-50623?

CVE-2024-50623 is a critical vulnerability (CVSS 8.8) in Cleo's managed file transfer products that allows unrestricted file upload/download and potential remote code execution. It affects Cleo Harmony, VLTrader, and LexiCom versions prior to 5.8.0.21.

What is the current exploitation status?

Despite patches released on October 30, 2023, Huntress reports active exploitation attempts even on seemingly patched systems, with 'double-digits worth of intrusions' observed.

What are the indicators of compromise?

Key indicators include presence of hosts/main.xml file, hosts/60282967-dc91-40ef-a34c-38e992509c2c.xml in installation folders, and Cleo####.jar files under the installation directory.

How do the attacks work?

Attackers exploit a file upload weakness to deploy payloads in the autoruns/ subdirectory, using an 'Import' command that leaves artifacts in the hosts/ directory.

What preventive measures can be taken?

Organizations should block known malicious IPs (185.181.230.115, 80.67.5.133, 5.181.158.25, 185.162.128.133, 184.107.3.70, 195.123.224.8, 184.107.3.196) and update to versions newer than 5.8.0.21.

Attack

Cleo file transfer software flaw actively exploited

published: Dec. 9, 2024

Take action: If you are using Cleo Harmony, Cleo VLTrader, and Cleo LexiCom, update to latest versions ASAP, because hackers are attacking these platforms. By their very nature these platforms are exposed to the internet, so you can't postpone. Also, check the indicators of compromise to block some obvious attack addresses, but that's just extra. Patching is a MUST.

Learn More

A significant vulnerability in Cleo's managed file transfer (MFT) products has been discovered and is currently being actively exploited by threat actors.

The vulnerability, tracked as CVE-2024-50623 (CVSS score 8.8), is an unrestricted file upload and download flaw that could lead to remote code execution. The vulnerability affects multiple Cleo products including Cleo Harmony, Cleo VLTrader, and Cleo LexiCom versions prior to 5.8.0.21.

Cleo initially disclosed and patched this vulnerability on October 30, 2023.

However, despite the patch release, Huntress's threat operations center has reported observing exploitation attempts even on systems that appeared to be patched.

According to Huntress's principal security researcher, John Hammond, the company has detected "double-digits worth of intrusions." The attack methodology involves threat actors exploiting a file upload weakness to deploy additional payloads in the autoruns/ subdirectory of the affected program. These payloads leverage an 'Import' command that leaves artifacts in the hosts/ directory.

Indicators of Compromise:

Presence of hosts/main.xml file
hosts/60282967-dc91-40ef-a34c-38e992509c2c.xml in LexiCom, VLTrader, or Harmony installation folders
Cleo####.jar files (e.g., cleo.5264.jar, cleo.6597.jar) under the installation directory

Known malicious IP addresses to block:

185.181.230.115
80.67.5.133
5.181.158.25
185.162.128.133
184.107.3.70
195.123.224.8
184.107.3.196

Managed file transfer products have been frequent targets for cybercriminals. Similar attacks have occurred against other MFT products in 2023, including Progress Software's MoveIt Transfer and Fortra's GoAnywhere MFT software, which were exploited by the Clop ransomware gang.

Update - The Termite ransomware group has claimed responsibility for exploiting the recently disclosed file upload vulnerability in Cleo's managed file transfer products, with the group also linking their attack on Blue Yonder and its customer Starbucks to the same vulnerability exploitation campaign.

Cleo file transfer software flaw actively exploited

Read More
North Korean hackers exploit flaw in Microsoft Edge …
Active exploitation of WhatsUp Gold vulnerabilities
Active Exploitation reported of SolarWinds Serv-U
Trellix researchers warn of malicious campaign that uses …
SessionReaper flaw in Adobe Magento actively exploited