Attackers exploit vulnerability in Cleo file transfer software

Threat activity against managed file transfer software continues as attackers are actively exploiting a vulnerability in Cleo products.

On Oct. 30, Cleo issued a security advisory for an unrestricted file upload and download vulnerability, tracked as CVE-2024-50623. The flaw affects Cleo Harmony, Cleo VLTrader and Cleo LexiCom prior to version 5.8.0.21, which make up Cleo's managed file transfer (MFT) products. The software company, based in Rockford, Ill., warned that exploitation could lead to remote code execution and urged customers to upgrade to the fixed version.

On Sunday, cybersecurity company Huntress began observing exploitation activity involving CVE-2024-50623. Max Rogers, senior director of Huntress' threat operations center, flagged the activity in a post on X, formerly Twitter, and warned the company was observing exploitation on systems that "looked patched."

UPDATE: In a blog post published Monday evening, Huntress said it created a proof of concept exploit for CVE-2024-50623 and discovered Cleo's patch does not mitigate the vulnerability. "This vulnerability is being actively exploited in the wild and fully patched systems running 5.8.0.21 are still exploitable. We strongly recommend you move any internet-exposed Cleo systems behind a firewall until a new patch is released."

John Hammond, principal security researcher at Huntress, confirmed the activity and provided additional information to Informa TechTarget Editorial on Monday. Hammond said Huntress has seen "double-digits worth of intrusions" from CVE-2024-50623. He added that Huntress is actively working to reverse engineer the LexiCom, VLTrader and Harmony products.

"From what we understand at the moment, threat actors are leveraging a file upload weakness to stage further payloads in the autoruns/ subdirectory for the affected program. This autorun/ directory will automatically execute code provided in a certain type of script file. Namely, we see the autoruns leveraging an 'Import' command that will end up leaving an artifact behind in the hosts/ directory (there are also files in the temp/ folder that get created, but usually deleted immediately)," Hammond wrote in an email. "The autoruns file is deleted immediately but the hosts/ file remains left over as a proven indicator of compromise. Customers should be wary of a hosts/main.xml file or a hosts/60282967-dc91-40ef-a34c-38e992509c2c.xml in their LexiCom, VLTrader, or Harmony installation folder."

Hammond agreed with Cleo's recommendation to block the following IP addresses the vendor observed as an external callback, including:

• 185.181.230.115
• 80.67.5.133
• 5.181.158.25
• 185.162.128.133
• 184.107.3.70
• 195.123.224.8
• 184.107.3.196

"Additionally, any Cleo####.jar (ex: cleo.5264.jar/cleo.6597.jar etc) files found under the installation directory of Harmony/VLTrader/Lexicom are leftover payload files. These are indicative of exploitation," Hammond said.

Cleo did not respond to requests for comment at press time.

While the attack scope remains unknown, MFT products have proved to be a popular target for attackers in recent years. For example, in 2023 the Clop ransomware gang claimed thousands of victims by exploiting one zero-day vulnerability in Progress Software's MoveIt Transfer product.

Prior to that, Clop also exploited a zero-day vulnerability in Fortra's GoAnywhere MFT software that led to massive fallout. Attackers also exploited a critical Citrix ShareFile vulnerability, tracked as CVE-2023-24489, last year, two months after Citrix disclosed the flaw and released a fix.

This article was updated on 12/10/2024.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.