The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about a critical vulnerability in Cleo’s file transfer software being actively exploited by ransomware gangs.
The vulnerability, initially identified as CVE-2024-50623, affects Cleo Harmony, VLTrader, and LexiCom products, which enterprises widely use for secure file sharing.
Originally disclosed in October 2024, CVE-2024-50623 was thought to be patched in version 5.8.0.21. However, security researchers from Huntress discovered that the patch was insufficient, leaving systems vulnerable to exploitation.
The flaw allows unauthenticated attackers to upload malicious files and abuse a system autorun feature, potentially leading to remote code execution (RCE) with elevated privileges.
2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide
CISA has added CVE-2024-50623 to its Known Exploited Vulnerabilities (KEV) catalog, confirming its use in ransomware campaigns. Federal agencies have been ordered to patch affected systems by January 3, 2025.
This vulnerability has been exploited since December 3, 2024, with a surge in attacks noted on December 8. Affected organizations span various industries, including consumer products, food, trucking, and shipping.
Exploited by Malichus Malware
Researchers have identified a new malware family, dubbed “Malichus,” being deployed by attackers exploiting the Cleo bug. This sophisticated malware demonstrates the threat actors’ intimate knowledge of Cleo software.
In response to the ongoing threat, Cleo released a new patch on December 13, 2024, to address the original CVE and a newly discovered zero-day vulnerability.
The company urges customers to immediately upgrade to the latest versions of Harmony, VLTrader, and LexiCom software.
Security experts are raising concerns about the delay in assigning a new CVE identifier for the additional vulnerability, which allows unauthenticated users to import and execute arbitrary bash or PowerShell commands.
Defenders recommend disabling the autoruns functionality in Cleo software as a temporary mitigation measure to reduce the attack surface. However, this step alone does not fully address the arbitrary file-write vulnerability.
The incident draws parallels to the MOVEit hack campaign, where cybercriminals exploited a zero-day in Progress Software’s file transfer software to steal data from thousands of organizations.
CISA’s confirmation of ransomware exploitation underscores the critical nature of this vulnerability. Organizations using Cleo products are strongly advised to apply the latest patches, monitor for signs of compromise, and implement recommended mitigation strategies to protect their systems from potential ransomware attacks.
Cybersecurity firms are actively monitoring and investigating multiple incidents related to this vulnerability as the situation continues to evolve. The security community remains vigilant, emphasizing the importance of prompt patching and proactive threat detection to safeguard against these sophisticated attacks.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free