A vulnerability in the popular managed file transfer (MFT) service from software company Cleo is being actively exploited by threat actors, researchers have warned.
Reports from multiple security firms have warned that three different Cleo products were being attacked in the wild, including Cleo Harmony, the firm’s widely-used file transfer service capability.
VLTrader, a server-side solution aimed at mid-sized corporations, and Lexicom, a desktop-based client for communication with major trading networks, were also impacted by the flaw according to Cleo.
The vulnerability affects versions of all three products prior to the 5.8.0.21 release, Cleo added, urging firms to patch as soon as possible.
Cleo described the flaw, CVE-2024-50623, as an unrestricted file upload and download vulnerability, warning attackers could exploit the weakness to remotely execute arbitrary code on target systems.
Security company Huntress published a blog flagging that it had collected evidence showing the flaw was under active exploitation on 9 December.
“We’ve directly observed evidence of threat actors exploiting this software en masse and performing post-exploitation activity,” Huntress’s research team warned.
The Huntress report said that based on its telemetry, it had discovered at least 10 businesses whose Cleo servers were compromised, with evidence of exploitation as early as 3 December but with a “notable uptick” on 8 December.
The majority of the compromised businesses identified by Huntress were operating in the consumer products, food, trucking, and shipping industries, but researchers added that there were still several other organizations they could not identify that could also have been compromised.
Customers advised to ‘pull the plug’ on affected products
A blog from security firm Rapid7 confirmed successful exploitation of the vulnerability of some of its customer’s environment, revealing it was investigating multiple incidents after observing enumeration and post-exploitation activity.
Last year saw the catastrophic impacts of exploiting vulnerabilities in popular file transfer software with the MOVEit data breach in 2023.
Rapid7 noted that file transfer software remains a popular target for threat actors looking to generate income.
“File transfer software continues to be a target for adversaries, and for financially motivated threat actors in particular. Rapid7 recommends taking emergency action to mitigate risk related to this threat.”
Security researcher Kevin Beaumont took to social media to warn that there is evidence the Termite ransomware group, potentially in collaboration with other groups, may be responsible for the zero day.
Beaumont also advised organizations to “fully pull the plug” on impacted Cleo products in their IT estate until there was more clarity from the vendor.
Initially, Cleo issued a paywalled advisory on the issue, stating the application for it to be designated as a CVE was still under approval.
Huntress’s report warned businesses that the 5.8.0.21 patched versions were insufficient in protecting against the attacks it had observed in the wild, stating fully-patched systems may still be vulnerable to exploitation.
In a Zoom call with Huntress, security personnel at Cleo said the company was working on making a new patch as soon as possible, expected to be released within a week.
In the meantime, businesses can limit their attack surface by reconfiguring the Cleo software to disable the autoruns feature, which allows command files to be automatically processed.
This will inhibit the second stage of the attack path that relies on using the autorun feature for code execution.
Huntress advised that until an effective patch is released, affected customers should ensure any Cleo systems exposed to the public internet are protected behind a firewall.
