Cleo patches another actively exploited flaw
Take action: If you are using Cleo Harmony, Cleo VLTrader, and Cleo LexiCom, update to latest versions ASAP, because hackers are attacking these platforms. Hiding them from the internet is a temporary fix, because the very nature of the software is to be visible to outsiders. PATCH NOW.
Learn More
Cleo has released a patch for a new actively exploited flaw that bypasses the patch for CVE-2024-50623, which was initially patched in October 2023.
This new vulnerability is tracked as CVE-2024-55956 (CVSS score 9.8) and affects their LexiCom, VLTransfer, and Harmony products up to version 5.8.0.24, allowing unauthenticated attackers to execute arbitrary bash or PowerShell commands by exploiting default Autorun folder settings.
The attack campaign was first detected by Huntress researchers on December 3, with a significant surge in malicious activity observed on December 8. The attacks have been attributed to the Termite ransomware gang, which recently claimed responsibility for the Blue Yonder breach. The threat actors are deploying a sophisticated Java-based post-exploitation framework, dubbed Malichus malware, which provides attackers with capabilities for file transfers, command execution, and network communication.
Shodan is tracking 421 Cleo servers worldwide, 327 of which are located in the United States. Additional research by Macnica revealed an even larger exposure, identifying 743 Cleo servers accessible online, distributed across their product line with 379 running Harmony, 124 running VLTrader, and 240 running LexiCom. The attacks have already resulted in at least 10 confirmed compromises, while Sophos has identified indicators of compromise on more than 50 Cleo hosts.
The targeting pattern shows a clear focus on North American organizations, particularly in the retail sector, consumer products companies, food industry businesses, and trucking and shipping companies.
Cleo has released version 5.8.0.24, which addresses both the original vulnerability and the zero-day bypass. For organizations unable to implement the patch immediately, Cleo has recommended several mitigation strategies, including moving internet-exposed systems behind a firewall, disabling the Autorun feature, and clearing out the Autorun directory.
Update - as of 16th of December 2024, Clop, which was behind the massive 2023 MOVEit Transfer supply chain attack that affected nearly 2,800 organizations, claims that they are behind attacks on the zero-day Cleo vulnerabilities CVE-2024-50623 and CVE-2024-55956. The gang said it was not sure of the exact number of victims in its Cleo attack but that there were “quite a lot.
