Cleo patches file transfer zero-day flaw under attack

Cleo released a patch Wednesday evening that appears to address a zero-day vulnerability in three of its products that has not yet been assigned a CVE.

The patch follows the recent discovery that threat actors were targeting unrestricted file upload and download vulnerability CVE-2024-50623. Originally patched in late October, the flaw affects Cleo managed file transfer (MFT) products Harmony, LexiCom and VLTrader in versions prior to 5.8.0.21. On Sunday, Max Rogers, senior director of Huntress' threat operations center, said in a post to X, formerly Twitter, that the managed EDR vendor was "seeing exploitation on systems that look patched."

Huntress principal security researcher John Hammond wrote a blog published Monday explaining that Huntress recreated a proof-of-concept exploit and determined that 5.8.0.21 did not manage to fully address CVE-2024-50623 and strongly recommended customers "move any internet-exposed Cleo systems behind a firewall until a new patch is released."

On Wednesday evening, Cleo published version 5.8.0.24 for Harmony, LexiCom and VLTrader, which it said in the patch notes, "Addresses a critical vulnerability which exploits the ability for unrestricted file upload and download and execute malicious host definitions in the product (pending CVE)."

"After applying the patch, errors are logged for any files found at startup related to this exploit, and those files are removed," the patch notes read.

In a security advisory for the flaw, which is separate from the advisory for CVE-2024-50623, Cleo said the vulnerability "could allow an unauthenticated user to import and execute arbitrary bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory." Cleo strongly advised customers to upgrade to the fixed version.

In the release notes for Harmony version 5.8.0.21, Cleo noted the update mitigates "additional discovered potential attack vectors of the identified unrestricted file upload and download vulnerability (CVE-2024-50623)."

Following the publishing of 5.8.0.24 on Wednesday, Hammond posted to X saying that at initial glance, the patch appears to be effective at preventing Huntress Labs' POC for the undesignated zero day vulnerability, though not CVE-2024-50623.

Informa TechTarget Editorial asked Cleo if the zero-day vulnerability was connected to attacks against CVE-2024-50623, but a spokesperson for the vendor declined to comment. Instead, the spokesperson shared the following statement.

On December 11, 2024, Cleo released a new security patch to address the previously disclosed critical vulnerability in instances of Cleo Harmony, VLTrader, and LexiCom products. Cleo strongly recommends customers apply the available patch immediately.

Promptly upon discovering the vulnerability, Cleo launched an investigation with the assistance of outside cybersecurity experts, notified customers of the issue and provided instructions on immediate actions customers should take to address the vulnerability. Cleo continues to work proactively to support customers and has extended enhanced 24/7 customer support services to those needing additional technical assistance in addressing this vulnerability.

Cleo's investigation is ongoing. Customers are encouraged to check Cleo's security bulletin webpage regularly for updates.

As for who has been exploiting the new flaw, security researcher Kevin Beaumont said on Mastodon that the Termite ransomware group and perhaps others have access to a zero day exploit for Cleo's aforementioned MFT products.

Christiaan Beek, senior director of threat analytics at Rapid7, told TechTarget Editorial in an email could not currently verify an individual threat group's involvement in attacks against Cleo instances.

"At this point in time, Rapid7 has no verifiable evidence pointing to a single threat group's involvement. Therefore, any discussion of Termite is speculation. We confirm a group's involvement by correlating the attack's technical indicators, the tools and techniques used, and observations and technical analysis from the past, such as code similarity," Beek wrote in an email. "By themselves each of these things aren't a strong indicator. But together, they paint a verifiable picture."

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.