File transfer software from Cleo, a provider that cites over 4,000 enterprise customers, is being exploited in the wild say security companies – which are blaming an inadequate patch for a remote execution vulnerability in its products allocated CVE-2024-50623.
A trio of products from the private equity-backed Cleo are affected.
Attackers are not just exfiltrating files but establishing persistence on endpoints and have been “observed enumerating potential Active Directory assets with domain reconnaissance tools,” said Huntress.
It has seen ten victims so far that “deal with consumer products, food industry, trucking, and shipping industries” with attacks from December 3.
Cleo says that the following were affected/are patched. (Despite guidance from cybersecurity firm Huntress that its patched versions are still vulnerable to exploitation it has yet to add guidance to its security advisory saying this or even noting that exploitation has been detected.)
- Cleo Harmony (prior to version 5.8.0.21)
- Cleo VLTrader (prior to version 5.8.0.21)
- Cleo LexiCom (prior to version 5.8.0.21)
But security firm Huntress late Monday said that 5.8.0.21 for all versions remains vulnerable and are being exploited. “We’ve directly observed evidence of threat actors exploiting this software en masse [sic] and performing post-exploitation activity” it said in a December 9 blog.
Rapid7 added: “In the absence of an effective patch for CVE-2024-50623 (and any other CVEs that may be assigned to this exploit), Cleo customers should remove affected products from the public internet, ensuring they are behind a firewall. Per Huntress… disabling Cleo’s Autorun Directory, which allows command files to be automatically processed, may also prevent the latter part of the attack chain from being executed.”
