Threat actors have been focusing their efforts on exploiting vulnerabilities in Cleo managed file transfer products, leading to heightened concerns within the cybersecurity community.
Initially, Cleo addressed a security advisory and provided a patch in late October to mitigate CVE-2024-50623, an unrestricted file upload and download vulnerability that impacted Harmony, VLTrader, and LexiCom products. However, despite the patch being available, managed security vendor Huntress raised alarm bells on Sunday by alerting the public to threat actors’ exploitation of instances of Cleo products linked to CVE-2024-50623. This prompted Huntress to advise Cleo customers to secure any internet-exposed systems behind a firewall until a new patch could be released, as mentioned in their blog post on Monday.
Responding to the escalating situation, Cleo released version 5.8.0.24 for Harmony, LexiCom, and VLTrader on Wednesday evening. The update was aimed at addressing a critical vulnerability, indicated in the patch notes, which contained a pending CVE distinct from CVE-2024-50623. The security advisory accompanying the release emphasized that the flaw could enable unauthorized users to import and execute arbitrary bash or PowerShell commands on the host system by exploiting default settings in the Autorun directory.
Notably, Huntress principal security researcher John Hammond remarked on Twitter that version 5.8.0.24 seemed to tackle the new zero-day vulnerability, although it did not specifically target CVE-2024-50623. When pressed for clarification on the relationship between the new vulnerability and previous threat activities, Cleo chose not to provide a response.
Despite the lack of concrete information on the responsible threat actors, multiple cybersecurity firms have observed an uptick in attacks targeting Cleo instances throughout the week. This concerning trend has sparked discussions among industry experts, including TechTarget editors Rob Wright and Alexander Culafi, who delved into the specifics of the threat activity surrounding Cleo on an episode of the “Risk & Repeat” podcast.
The increasingly aggressive attacks directed at Cleo managed file transfer products underscore the ongoing challenges faced by organizations in safeguarding their systems against sophisticated cyber threats. As the situation continues to evolve, cybersecurity professionals remain vigilant in monitoring for any emerging vulnerabilities and working swiftly to implement necessary patches and security measures to protect critical IT infrastructure from potential exploitation.