iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Cleo VLTrader, Cleo Harmony, and Cleo LexiCom are all being actively exploited after an update fails to address known vulnerabilities.
Multiple security firms, including Huntress and Rapid7, are warning of ongoing active exploitation of vulnerabilities in a suite of managed file transfer programs developed by software company Cleo.
The impacted products are Cleo VLTrader, Cleo Harmony, and Cleo LexiCom, which were all patched in October when Cleo released version 5.8.0.21 of all three solutions.
Security firms, however, have been tracking active exploitation of that version number since at least 9 December, with Cleo itself releasing a new advisory on 10 December – which is apparently behind a paywall – saying that it was aware of a “critical vulnerability in Cleo Harmony, VLTrader, and LexiCom that could allow an unauthenticated user to import and execute arbitrary bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory”.
Rapid7 is currently tracking multiple instances of successful exploitation.
“As of December 10, Rapid7 MDR has confirmed successful exploitation of this issue in customer environments; similar to Huntress, our team has observed enumeration and post-exploitation activity and is investigating multiple incidents,” Rapid7 in an 11 December update to its blog post on the activity.
“File transfer software continues to be a target for adversaries, and for financially motivated threat actors in particular. Rapid7 recommends taking emergency action to mitigate risk related to this threat.”
The previous vulnerability, in particular, was CVE-2024-50623, which allowed remote code execution, and Cleo has advised it is working to assign a new CVE.
Cleo said on its website that it has 4,200 customers, though Caitlin Condon, Rapid7’s head of vulnerability research, said there is only a small population of exposed systems.
“A naive query to an internet exposure engine shows a relatively small population of internet-exposed systems (i.e., in the mid- to high hundreds, depending on the query). Any affected system on the open internet is easy to find and exploit if a threat group already has a working exploit,” Condon said.
“Clearly, at least one group does have a working exploit, since Rapid7 and others are observing active exploitation. We aren’t able to say definitively as of right now whether this is one or multiple threat actors, but it’s a good bet that additional adversaries will develop or pick up exploit code as time goes on.”
As to the nature of the exploitation, Rapid7 has not seen any ransomware activity as of writing.
“Rapid7 has observed successful exploitation of this vulnerability in customer environments,” Condon said.
“We have not attributed the attack to any specific group or motivation, but historically, attacks on file transfer solutions have been financially motivated (i.e., for ransomware deployment and/or extortion). We have not observed ransomware deployment as of today.”
Rapid7 advises Cleo customers to remove the affected products from the internet and ensure they are behind a firewall.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
