Security researchers warn against active exploitation of Cleo file transfer software

Security researchers warn against active exploitation of Cleo file transfer software

Cleo VLTrader, Cleo Harmony and Cleo LexiCom are all being actively exploited after an update failed to fix known vulnerabilities.

Several security companies, including Huntress and Rapid7, are warning of continued active exploitation of vulnerabilities in a suite of managed file transfer programs developed by software company Cleo.

The affected products are Cleo VLTrader, Cleo Harmony and Cleo LexiCom, all of which were patched in October when Cleo released version 5.8.0.21 of all three solutions.

However, security companies have been actively monitoring the exploitation of this version number since at least December 9, with Cleo herself posting a new advisory on December 10 – which is apparently behind a paywall – claiming she was aware of a “critical vulnerability in Cleo”. Harmony, VLTrader and LexiCom which could allow an unauthenticated user to import and execute arbitrary bash or PowerShell commands on the host system by exploiting the default settings in the Autorun directory.

Rapid7 is currently tracking several successful exploitation cases.

“As of December 10, Rapid7 MDR has confirmed successful exploitation of this issue in customer environments; Similar to Huntress, our team has observed enumeration and post-exploitation activities and is investigating several incidents,” Rapid7 said in a Dec. 11 update to its blog post about the activity.

“File transfer software continues to be a target for adversaries, particularly financially motivated threat actors. Rapid7 recommends taking emergency measures to mitigate the risks associated with this threat.

The previous vulnerability, in particular, was CVE-2024-50623, which allowed remote code execution, and Cleo indicated that it was working on assigning a new CVE.

Cleo said on its website that it had 4,200 customers, although Caitlin Condon, head of vulnerability research at Rapid7, said there was only a small population of exposed systems.

“A naive query to an Internet exposure engine shows a relatively small population of systems exposed to the Internet (i.e., between several hundred and several hundred, depending on the query). Any affected system on the open Internet is easy to find and exploit if a malicious group already has a working exploit,” Condon said.

“Clearly at least one group has a working exploit, as Rapid7 and others are seeing active exploitation. We are unable to say with certainty at this time whether this is one or more threat actors, but it is a safe bet that other adversaries will develop or obtain malware code. exploitation over time.

As for the nature of the exploit, Rapid7 has not seen any ransomware activity at the time of writing.

“Rapid7 has observed successful exploitation of this vulnerability in customer environments,” Condon said.

“We have not attributed the attack to any specific group or motivation, but historically attacks against file transfer solutions have been financially motivated (i.e. the deployment of ransomware and/or extortion). We have not observed any ransomware deployment to date.

Rapid7 advises Cleo customers to remove affected products from the Internet and ensure they are behind a firewall.

The Guy Behind the Fake AI Halloween Parade Listing Says You've Got It All Wrong

The Guy Behind the Fake AI Halloween Parade Listing Says You’ve Got It All Wrong

The FSCP sends a written reprimand to the advisor

Leave a Reply

Your email address will not be published. Required fields are marked *