Cleo zero-day vulnerability gets CVE as attacks continue

A zero-day vulnerability impacting Cleo managed file transfer products Harmony, VLTrader and LexiCom has been assigned a CVE as exploitation activity continues.

Software vendor Cleo last Wednesday released a patch for a critical vulnerability in its managed file transfer (MFT) products that had not yet been granted a CVE. According to a security advisory, the vulnerability "could allow an unauthenticated user to import and execute arbitrary bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory." The flaw, which was designated CVE-2024-55956 on Dec. 13, was fixed in Cleo Harmony, LexiCom and VLTrader versions 5.8.0.24.

The CVE designation follows several days of confusion regarding malicious activity targeting Cleo's MFT products. Cybersecurity company Huntress initially detected attacks against Cleo customers earlier this month that appeared to exploit 2024-50623, an unrestricted file upload and download vulnerability disclosed and patched On Oct. 30.

Huntress published research on Dec. 9 claiming threat actors were still targeting organizations that had patched against CVE-2024-50623 with versions 5.8.0.21 of the software. According to Cleo's threat advisory, Cleo Harmony, LexiCom and VLTrader 5.8.0.21 addressed CVE-2024-50623, despite Huntress' research. However, the company last Wednesday disclosed a new zero-day vulnerability, which did not have a CVE at the time, that affected its MFT products.

It was unclear whether attacks on Cleo MFT customers were exploiting the CVE-2024-50623 or the zero day, now tracked as CVE-2024-55956. TechTarget Editorial contacted Cleo last week for further clarification on the status of CVE-2024-50623 but the company did not comment directly on the matter.

Cybersecurity vendor Rapid7 provided some clarity on the situation on Monday. In a technical analysis of CVE-2024-55956, the vendor said that although both recent flaws are similar in that they target the same endpoint, the way each flaw is exploited is very different. As such, version 5.8.0.21 for the three MFT products is still vulnerable to CVE-2024-55956.

"Both CVE-2024-50623 and CVE-2024-55956 are unauthenticated file write vulnerabilities, due to separate issues in the /Synchronization endpoint. Therefore CVE-2024-55956 is not a patch bypass of CVE-2024-50623, but rather a new vulnerability," Rapid7 said. "It is also worth highlighting that while CVE-2024-50623 allows for both reading and writing arbitrary files, CVE-2024-55956 only allows for writing arbitrary files."

More specifically, CVE-2024-50623 was used to write malicious code to the "webserver\AjaxSwing\conf\templates\default-page\body-footerVL.html" file before being "leveraged to achieve server-side template injection (SSTI), and in turn execute an attacker-controlled payload in the form of a Nashorn webshell."

Instead of using SSTI, CVE-2024-55956 allows attackers to "write a Zip file containing a malicious XML file describing a new host."

"The malicious XML file contained a Mailbox action associated with the new host, which when run would execute an arbitrary OS command," Rapid7 said. "A second file was then written to the system to force this Zip file to be imported into the system, thus registering a new host. Finally the malicious Mailbox action was forced to run, thus executing a payload."

Regarding the efficacy of Cleo's 5.8.0.21 update against CVE-2024-50623, Rapid7 director of vulnerability intelligence Caitlin Condon told Informa TechTarget Editorial that the company's research of CVE-2024-55956 did not conclusively explore whether the older vulnerability was fully addressed.

"Rapid7 investigated the new vulnerability (CVE-2024-55956) under attack but didn’t do a similar deep-dive assessment of CVE-2024-50623," she said. "The patch for CVE-2024-50623 appears to have added file path validation to address the root cause of that specific vulnerability, but we aren't able to say with high confidence that version 5.8.0.21 remediated the issue fully. CVE-2024-55956 is a new vulnerability with a different root cause than CVE-2024-55956, and while the two CVEs share some similarities, our analysis of the new zero-day does not necessarily imply anything about the fix for the October vulnerability."

As for the threat actor or actors targeting these instances, vendors have not made definitive attribution at press time. However, the Clop ransomware gang has taken responsibility for Cleo attacks, according to statements on the gang's leak site. A Clop threat actor was behind the widespread exploitation in 2023 of CVE-2023-34362, a SQL injection zero-day flaw in Progress Software's MoveIt Transfer MFT product. The Clop ransomware gang claimed it stole data from more than 2,000 victims in a massive deft extortion campaign.

The Shadowserver Foundation, a cybersecurity nonprofit organization, said via a post to X that in a scan conducted on Sunday, approximately 930 instances of Cleo Harmony, VLTrader and LexiCom were still vulnerable to ongoing exploitation targeting CVE-2024-50623 and CVE-2024-55956.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.