Full Report
The vulnerability — CVE-2024-50623 — was recently patched by software developer Cleo and affects the company’s LexiCom, VLTransfer and Harmony products. However, researchers at cybersecurity firm Huntress say the patch “does not mitigate the software flaw."
Analysis Summary
# Vulnerability: Critical Flaw in Cleo File Transfer Products Actively Exploited Post-Initial Patch
## CVE Details
- CVE ID: CVE-2024-50623
- CVSS Score: Not explicitly stated, but described as **critical** and actively exploited, suggesting a high score.
- CWE: Not explicitly stated.
## Affected Systems
- Products: Cleo LexiCom, VLTransfer, Harmony (and VLTrader based on spokesperson confirmation).
- Versions: Systems running vulnerable versions, noting that versions with the initial patch (e.g., 5.8.0.21) are *still exploitable*.
- Configurations: Internet-exposed Cleo systems.
## Vulnerability Description
A critical software flaw exists in several Cleo file transfer products (LexiCom, VLTransfer, Harmony/VLTrader). Although an initial patch was released by Cleo, security researchers (Huntress) have confirmed that this patch **does not mitigate the flaw**, leading to continued, mass exploitation in the wild by threat actors like the Termite ransomware group.
## Exploitation
- Status: **Exploited in the wild** (actively being exploited "en masse," starting as early as December 3).
- Complexity: Implied to be **Low to Medium** given the widespread and immediate adoption by multiple threat actors upon discovery.
- Attack Vector: Network (as systems are internet-exposed).
## Impact
- Confidentiality: Likely High (given the nature of file transfer products and ransomware group involvement).
- Integrity: Likely High.
- Availability: High (due to confirmed compromises and ransomware activity).
## Remediation
### Patches
- Initial patch (e.g., version 5.8.0.21) **is insufficient and does not fix the vulnerability.**
- **Action Required:** Cleo is creating a **new CVE** and planning a subsequent patch by the middle of the week (as of the article's writing). Customers must monitor Cleo security bulletins.
### Workarounds
- **Strongly Recommended:** Move any internet-exposed Cleo systems **behind a firewall** immediately until the definitive new patch is released.
## Detection
- **Indicators of Compromise (IoCs):** Evidence of exploitation dating back to December 3rd, seen across consumer products, food, trucking, and shipping industries. Termite ransomware operators are confirmed exploiters.
- **Detection Methods and Tools:** Detailed technical information for incident responders (published by Huntress) should be utilized to find evidence of compromise. Rapid7 and Huntress have confirmed exploitation in customer environments.
## References
- Vendor Advisory URL: support[dot]cleo[dot]com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory-CVE-2024-50623
- Huntress Advisory URL: huntress[dot]com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
- Rapid7 Analysis URL: rapid7[dot]com/blog/post/2024/12/10/etr-widespread-exploitation-of-cleo-file-transfer-software-cve-2024-50623