Risk & Repeat: Attacks ramp up on Cleo MFT software

Threat actors are targeting Cleo managed file transfer products through two vulnerabilities, including a new zero-day flaw. Cleo first issued a security advisory and patch in late October for CVE-2024-50623, an unrestricted file upload and download vulnerability affecting Cleo's Harmony, VLTrader and LexiCom products.

Beginning this past Sunday, managed security vendor Huntress warned that threat actors were targeting instances of Cleo's products in exploitation activity related to CVE-2024-50623, even those that were already patched. Huntress then published a blog post Monday recommending Cleo customers "move any internet-exposed Cleo systems behind a firewall until a new patch is released."

Then, on Wednesday evening, Cleo released version 5.8.0.24 for Harmony, LexiCom and VLTrader. In patch notes, it addressed a critical vulnerability with a pending CVE that is separate from CVE-2024-50623. The flaw can, according to a security advisory, "allow an unauthenticated user to import and execute arbitrary bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory."

Huntress principal security researcher John Hammond said in a post on X, formerly Twitter, that 5.8.0.24 appears to address the new zero-day vulnerability, though not CVE-2024-50623. Informa TechTarget Editorial asked Cleo at the time whether the new vulnerability is related to previously reported threat activity, but the company declined to answer.

It is unclear which threat actors are targeting Cleo instances. But several cybersecurity vendors have observed an increasing number of attacks this week.

TechTarget editors Rob Wright and Alex Culafi discuss the threat activity targeting Cleo instances on this episode of the Risk & Repeat podcast.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.