Recent cybersecurity incidents have exposed critical vulnerabilities in Cleo’s file transfer software – Cleo Harmony, VLTrader, and LexiCom – which are actively being exploited.
These flaws, specifically CVE-2024-50623 and CVE-2024-55956, enable attackers to perform remote code execution (RCE). This can result in unauthorized access, data theft, and even ransomware deployment.
Cleo File Transfer Vulnerabilities Are A New Ransomware Attack Vector
In October 2024, Cleo released version 5.8.0.21 to patch a severe zero-day vulnerability (CVE-2024-50623). This flaw allowed unrestricted file uploads and downloads, enabling attackers to inject and execute malicious files remotely. However, security firm Huntress later revealed that the patch was incomplete, leaving systems vulnerable to attacks from other vectors. Exploitation began as early as December 3, 2024, with attackers uploading Java-based backdoors to compromised systems.
On December 13, CISA (Cybersecurity and Infrastructure Security Agency) confirmed active exploitation of the vulnerability, adding it to their Known Exploited Vulnerabilities (KEV) catalog. These attacks are suspected to involve Termite ransomware and the notorious Cl0p ransomware group.
CVE-2024-50623 And CVE-2024-55956 Flaws Explained
CVE-2024-50623 is a critical zero-day vulnerability in Cleo’s software. It has a CVSS score of 8.8 and enables Remote Code Execution (RCE). The issue stems from improper handling of file uploads in the Autorun directory. Attackers exploit this vulnerability to run unauthorized bash or PowerShell commands.
By sending specially crafted requests, attackers can retrieve files from a server or upload malicious files, leading to code execution. Researchers have observed threat actors using this vulnerability to deploy reverse shells. As a result, this gives them persistent access and control over compromised systems. Approximately 1,342 instances of Cleo software were found exposed online, with 79% located in the United States.
CVE-2024-55956, discovered on December 10, is a more severe vulnerability in Cleo’s software with a CVSS score of 9.8. Like the previous flaw, it allows for RCE through the Autorun directory. This also enables attackers to deploy modular Java backdoors, steal sensitive data, and move laterally within networks. The vulnerability bypasses the earlier patch for CVE-2024-50623, leaving systems exposed even after updates.
Who’s Behind the Attacks?
What about the threat actor, initial suspicions pointed to Termite, particularly after their attacks on Blue Yonder. However, the real culprit was confirmed to be Cl0p. The group, infamous for targeting MFT software (like last year’s MOVEit Transfer breaches), announced on their leak site that they exploited the Cleo vulnerabilities for data theft operations.
Cl0p hackers also claimed to focus only on new victims, deleting data from previous breaches. At least 50 Cleo hosts and 10 businesses have been compromised so far, with many more at risk. During these attacks, researchers also identified a Java-based malware called Malichus.
This malware enables command execution on compromised systems, facilitates data transfers for theft, and supports network communication for lateral movement. Malichus is cross-platform, capable of affecting both Windows and Linux systems, making it highly adaptable for attackers. Reports show that around 1,700 servers were targeted. The retail, food, trucking, and shipping industries were the most impacted, particularly in North America.
Cleo Recommendations for the Customers
Organizations using Cleo software need to act immediately to address these vulnerabilities. The first step is to update all systems to version 5.8.0.24, as this patch resolves both CVE-2024-50623 and CVE-2024-55956.
Disabling the Autorun directory temporarily can prevent attackers from executing unauthorized commands. To further secure their environment, organizations should remove Cleo servers from public internet exposure, protect them with firewalls, and restrict external access.
