Threat actors are actively exploiting a high-risk vulnerability in widely used file transfer software, launching mass hacks. The vulnerability, tracked as CVE-2024-50623, impacts software developed by US-based enterprise software company Cleo, according to cybersecurity researchers at Huntress.
Cleo’s software is used by over 4,200 customers, including high-profile companies.
The flaw, which was disclosed by Cleo in a security advisory on October 30, allows attackers to execute remote code on affected systems. It impacts Cleo’s LexiCom, VLTransfer, and Harmony software used by enterprises to manage file transfers securely. Cleo released a patch for the vulnerability in October, however, Huntress says that the fix does not fully mitigate the software flaw.
In a blog post, Huntress said it has observed threat actors mass exploiting the software since December 3, with at least 10 businesses’ servers compromised. Victim organizations so far have included various consumer product companies, logistics and shipping organizations, and food suppliers, the researchers said.
Shodan, a search engine that indexes publicly available devices and databases, shows hundreds of vulnerable Cleo servers, most of which are located in the United States.
While it’s unknown what threat actors are behind the attacks, Huntress has detected signs of “post-exploitation activity” on compromised systems. It is not yet clear whether any sensitive data has been exfiltrated from affected Cleo customers.
On December 10, Cleo released a security advisory highlighting a critical vulnerability, which has yet to receive a CVE identifier, describing it as “an unauthenticated malicious hosts vulnerability that could lead to remote code execution.” The flaw affects Cleo Harmony (up to version 5.8.0.23); Cleo VLTrader (up to version 5.8.0.23); Cleo LexiCom (up to version 5.8.0.23).