The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability CVE-2024-50623 (CVSS score 8.8), which impacts multiple Cleo products to its Known Exploited Vulnerabilities (KEV) catalog.
“Cleo has identified an unrestricted file upload and download vulnerability (CVE-2024-50623) that could lead to remote code execution.” reads the advisory. “Cleo strongly advises all customers to immediately upgrade instances of Harmony, VLTrader, and LexiCom to the latest released patch (version 5.8.0.21) to address additional discovered potential attack vectors of the vulnerability. ”
The vulnerability affects the following products LexiCom before version 5.8.0.21, Harmony prior to version 5.8.0.21, and VLTrader prior to version 5.8.0.21.
On December 9, reports of active exploitation targeting Cleo file transfer software began circulating among cybersecurity community. Security firm Huntress publicly disclosed ongoing exploitation involving three different Cleo products.
“On December 3, Huntress identified an emerging threat involving Cleo’s LexiCom, VLTransfer, and Harmony software, commonly used to manage file transfers.” reads the post published by Huntress. “We’ve directly observed evidence of threat actors exploiting this software en masse and performing post-exploitation activity.”
Huntress researchers created a proof of concept and learned the patch does not mitigate the software flaw. The experts warned that fully patched systems running 5.8.0.21 are still exploitable.
Caleb Stewart, a Principal Security Researcher, developed a Python script exploiting an arbitrary file-write vulnerability. This script successfully placed files in the autoruns subdirectory, demonstrating the execution capability. The method was tested against both LexiCom and VLTrader software, with versions 5.8.0.0 and the patched 5.8.0.21, confirming the exploit’s effectiveness.
Caleb Stewart, a Principal Security Researcher, developed a Python script exploiting an arbitrary file-write vulnerability. This script successfully placed files in the autoruns subdirectory, demonstrating the execution capability. The researchers tested the PoC against both LexiCom and VLTrader software, with versions 5.8.0.0 and the patched 5.8.0.21, confirming the exploit’s effectiveness.
Huntress researchers published Indicators of Compromise (IOCs) for attacks exploiting this vulnerability.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix this vulnerability by January 3, 2025.