Cleo VLTrader, Cleo Harmony and Cleo LexiCom are being actively exploited after an update failed to fix known vulnerabilities.
Several security companies, including Huntress and Rapid7, are warning about the active and ongoing exploitation of vulnerabilities in a suite of managed file transfer programs developed by software company Cleo.
The affected products are Cleo VLTrader, Cleo Harmony and Cleo LexiCom, all patched in October when Cleo released version 5.8.0.21 of the three solutions.
However, security companies have been tracking active exploitation of that version number since at least December 9, and Cleo herself posted a new notice on December 10 (which is apparently behind a paywall) saying that he was aware of a “critical vulnerability in Cleo.” Harmony, VLTrader, and LexiCom that could allow an unauthenticated user to import and execute arbitrary bash or PowerShell commands on the host system by leveraging the default autorun directory settings.”
Rapid7 is currently tracking multiple cases of successful exploitation.
“As of December 10, Rapid7 MDR has confirmed successful exploitation of this issue in customer environments; Like Huntress, our team has observed enumeration and post-exploitation activity and is investigating multiple incidents,” Rapid7 in a Dec. 11 update to its blog post about the activity.
“File transfer software continues to be a target for adversaries and, in particular, financially motivated threat actors. Rapid7 recommends taking emergency measures to mitigate the risk related to this threat.”
The previous vulnerability, in particular, was CVE-2024-50623, which allowed remote code execution, and Cleo reported that it is working to assign a new CVE.
Cleo said on its website that it has 4,200 customers, although Caitlin Condon, head of vulnerability research at Rapid7, said there is only a small population of exposed systems.
“A naive query to an Internet exposure engine returns a relatively small population of Internet-exposed systems (i.e., anywhere from hundreds to more, depending on the query). “Any affected system on the open Internet is easy to find and exploit if a threat group already has a working exploit,” Condon said.
“Clearly at least one group has a working exploit, as Rapid7 and others are seeing active exploitation. We can’t definitively say at this time whether this is one or multiple threat actors, but it’s a good bet that additional adversaries will develop or collect exploit code as time goes on.”
As for the nature of the exploit, Rapid7 has not seen any ransomware activity at the time of writing.
“Rapid7 has observed successful exploitation of this vulnerability in customer environments,” Condon said.
“We have not attributed the attack to any specific group or motivation, but historically, attacks on file transfer solutions have been financially motivated (i.e., for the implementation of ransomware and/or extortion). We have not observed ransomware deployment to date.”
Rapid7 advises Cleo customers to remove affected products from the internet and ensure they are behind a firewall.