A newly disclosed critical vulnerability in Cleo's managed file transfer products is being actively exploited by threat actors, potentially putting thousands of organizations at risk. Security firm Huntress reported that the vulnerability (CVE-2024-50623) affects Cleo Harmony, VLTrader, and LexiCom products, including systems running the latest patched version, 5.8.0.21.
The vulnerability allows unauthenticated attackers to achieve remote code execution by leveraging the default settings of the Autorun directory.
According to Huntress researchers, they have observed evidence of mass exploitation affecting various sectors, including consumer product companies, logistics organizations, and food suppliers.
While Cleo released a patch in October 2024 (version 5.8.0.21), security researchers discovered that the fix was insufficient, and systems remain vulnerable to exploitation. The issue initially was classified as a cross-site scripting vulnerability but was later reclassified as an unrestricted file upload vulnerability (CWE-434).
This incident bears striking similarities to the devastating Progress MOVEit Transfer vulnerability (CVE-2023-34362) discovered in May 2023, which led to hundreds of data breaches affecting over 2,000 organizations and more than 60 million individuals.
The MOVEit exploitation campaign, attributed to the Cl0p ransomware group, resulted in one of the largest mass-hack events of 2023.
"File transfer software continues to be a target for adversaries, and for financially motivated threat actors in particular," noted Rapid7 in their advisory. The security firm has confirmed successful exploitation in customer environments and is investigating multiple incidents.
Huntress researchers have identified at least 10 compromised businesses, with exploitation dating back to December 3, 2024. They observed attackers using PowerShell commands to deploy malicious JAR files and perform post-exploitation activities, including domain reconnaissance.
Researchers at Watchtowr have also published the technical details about the flaw and released the POC exploit code on GitHub.
 |
| POC by watchTowr |
The company provided indicators of compromise, including the presence of specific XML files (main.xml or 60282967-dc91-40ef-a34c-38e992509c2c.xml) containing embedded PowerShell-encoded commands in the hosts subdirectory.
As an immediate mitigation, security experts recommend:
- Moving internet-exposed Cleo systems behind a firewall
- Disabling the Autorun Directory feature
- Reviewing logs for signs of compromise
- Blocking known malicious IP addresses used in the attacks
Cleo has acknowledged the vulnerability and is working on a new patch that is expected to be released mid-week. The company has also opened 24/7 customer support access to all customers, regardless of support level, to address matters related to this vulnerability.
Given the widespread use of Cleo's file transfer solutions in enterprise environments and the current active exploitation, organizations are urged to take immediate action to protect their systems while awaiting a comprehensive fix from the vendor.