Widespread exploitation of a critical vulnerability found in Cleo file-transfer software
In a concerning turn of events, a zero-day vulnerability in Cleo's file-transfer software is currently under active exploitation. This vulnerability, identified as CVE-2024-50623, could potentially lead to remote code execution.
The vulnerability was initially disclosed by Cleo six weeks ago, and a patch was issued in October. However, it appears that the patch is not providing adequate protection for the flaw, as ongoing exploitation has been observed in both prior versions of the software and fully patched instances.
Researchers from Huntress have reported mass exploitation and post-exploitation activity linked to the vulnerability, starting on Dec. 3. They have identified at least 10 companies compromised, primarily in the consumer products, food industry, trucking, and shipping sectors.
Censys, a cybersecurity research firm, found 1,342 exposed instances of Cleo Harmony, VLTrader, and LexiCom online. Nearly eight in ten exposed instances were located in the U.S., according to Censys.
Rapid7, another cybersecurity company, has confirmed ongoing mass exploitation of the vulnerability. The exploitation involves an unauthenticated file upload vulnerability, which is noted in the CISA Known Exploited Vulnerabilities Catalog as CVE-2024-55956.
In response to the ongoing exploitation, Cleo plans to release a new CVE designation and a new patch for the critical vulnerability in Cleo Harmony, Cleo VLTrader, and LexiCom products. Other companies, not visible to Huntress, were also found to be potentially compromised.
It's important to note that while general information about exploitation is available, detailed insights into ongoing mass exploitation efforts might require access to specific threat intelligence reports or updates from cybersecurity firms. Tools such as the EPSS (Exploit Prediction Scoring System) and the Sniper tool, mentioned by Pentest-Tools.com, can help in understanding the exploitation of known vulnerabilities, but they don't provide specific details on ongoing mass exploitation of Cleo products.
CISA's KEV Catalog lists Cleo Harmony, VLTrader, and LexiCom as affected by CVE-2024-55956, indicating that these vulnerabilities are under active exploitation. However, the catalog does not provide real-time data on ongoing exploitation efforts.
To mitigate such risks effectively, it is advisable to stay updated with the latest threat intelligence and vulnerability management strategies. Organisations using Cleo products are urged to apply the forthcoming patch as soon as it becomes available.
- Despite Cleo issuing a patch for the vulnerability (CVE-2024-50623) six weeks ago, it seems the patch is inadequate, as ongoing exploitation has been observed in both prior versions and fully patched instances, indicating a persistent threat to data-and-cloud-computing systems in the domain of cybersecurity.
- In the wake of the ongoing exploitation of the vulnerability in Cleo Harmony, VLTrader, and LexiCom products, it is crucial for companies in sectors like consumer products, food industry, trucking, and shipping to prioritize cybersecurity measures, promptly applying the upcoming patches and adopting comprehensive threat intelligence strategies to safeguard their technology infrastructures.
