Full Report
A zero-day vulnerability in Cleo file transfer software is being exploited in data theft attacks
Analysis Summary
# Vulnerability: Active Exploitation of Cleo File Transfer RCE Zero-Day
## CVE Details
- CVE ID: CVE-2024-50623 (Note: Another unauthenticated RCE vulnerability is mentioned as **CVE pending**)
- CVSS Score: Not explicitly stated, but implied to be High/Critical due to active RCE exploitation.
- CWE: Remote Code Execution (RCE) vulnerability stemming from an incomplete vendor patch.
## Affected Systems
- Products: Cleo Harmony, VLTrader, and LexiCom.
- Versions: Versions up to **5.8.0.23** are confirmed affected by the latest advisory regarding the *pending* CVE. Previous exploited flaws were bypassed by an earlier incomplete patch.
- Configurations: Products exposed to the public internet are at highest risk.
## Vulnerability Description
The critical issue is a zero-day vulnerability allowing for unauthenticated Remote Code Execution (RCE). This flaw bypassed a previous vendor patch released in October and resulted in widespread exploitation starting as early as December 3, 2024. The mechanism is identified as an "unauthenticated malicious hosts vulnerability" that enables threat actors to gain control over the server.
## Exploitation
- Status: **Exploited in the wild** (Observed widespread exploitation since at least December 3, 2024).
- Complexity: Implied **Low to Medium** given the volume and speed of compromise observed by researchers.
- Attack Vector: Network (Remote).
## Impact
- Confidentiality: **High** (Goal of exploitation appears to be data theft).
- Integrity: **High** (RCE allows modification or deletion of files/systems).
- Availability: **Medium to High** (Successful exploitation could lead to service disruption or data destruction).
## Remediation
### Patches
- **Cleo Harmony, VLTrader, LexiCom:** Customers are urged to upgrade to the **latest product version (5.8.0.23)**, as noted in the vendor's most recent communication. *Note: An earlier patch update (5.8.0.21) was deemed insufficient against current threats.* A patch for the newly identified (CVE pending) flaw is expected.
### Workarounds
1. **Immediate Exposure Reduction:** Remove affected Cleo products from the **public internet**.
2. **Firewall Protection:** Place Cleo servers **behind a firewall**.
3. **Disable Autorun:** Disable Cleo’s **Autorun Directory** feature, which processes command files automatically, as this may prevent the latter stages of the multi-part attack chain.
## Detection
- **Indicators of Compromise (IOCs):** Threat actors have been observed dropping files and running specific commands for persistence post-exploitation. Customers should review analysis reports from Huntress and Rapid7 for detailed artifacts.
- **Detection Methods and Tools:** Security teams should investigate environments for suspicious activity dating back to **December 3, 2024**, specifically looking for indicators related to the post-exploitation activity documented by Huntress.
## References
- Vendor Advisory (Cleo Support): hxxps://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Advisory-CVE-Pending
- Huntress Investigation: (Search for Huntress blog post regarding Cleo RCE)
- Rapid7 Advisory: (Search for Rapid7 blog post regarding widespread exploitation of CVE-2024-50623)