11 December 2024

Critical flaw in Cleo file-transfer tools exploited to launch mass attacks


Critical flaw in Cleo file-transfer tools exploited to launch mass attacks

Threat actors are actively exploiting a high-risk vulnerability in widely used file transfer software, launching mass hacks. The vulnerability, tracked as CVE-2024-50623, impacts software developed by US-based enterprise software company Cleo, according to cybersecurity researchers at Huntress.

Cleo’s software is used by over 4,200 customers, including high-profile companies.

The flaw, which was disclosed by Cleo in a security advisory on October 30, allows attackers to execute remote code on affected systems. It impacts Cleo’s LexiCom, VLTransfer, and Harmony software used by enterprises to manage file transfers securely. Cleo released a patch for the vulnerability in October, however, Huntress says that the fix does not fully mitigate the software flaw.

In a blog post, Huntress said it has observed threat actors mass exploiting the software since December 3, with at least 10 businesses’ servers compromised. Victim organizations so far have included various consumer product companies, logistics and shipping organizations, and food suppliers, the researchers said.

Shodan, a search engine that indexes publicly available devices and databases, shows hundreds of vulnerable Cleo servers, most of which are located in the United States.

While it’s unknown what threat actors are behind the attacks, Huntress has detected signs of “post-exploitation activity” on compromised systems. It is not yet clear whether any sensitive data has been exfiltrated from affected Cleo customers.

On December 10, Cleo released a security advisory highlighting a critical vulnerability, which has yet to receive a CVE identifier, describing it as “an unauthenticated malicious hosts vulnerability that could lead to remote code execution.” The flaw affects Cleo Harmony (up to version 5.8.0.23); Cleo VLTrader (up to version 5.8.0.23); Cleo LexiCom (up to version 5.8.0.23).

Back to the list

Latest Posts

Cybersecurity Week in Review: January 24, 2025

Cybersecurity Week in Review: January 24, 2025

In brief: SonicWall SMA zero-day exploited in attacks, hackers are exploiting older Ivanti flaws, and more.
24 January 2025
AIRASHI DDoS botnet exploits a zero-day vulnerability in cnPilot routers

AIRASHI DDoS botnet exploits a zero-day vulnerability in cnPilot routers

The attacks have been active since June 2024.
23 January 2025
SonicWall SMA zero-day exploited in attacks

SonicWall SMA zero-day exploited in attacks

SonicWall has released a patch in version 12.4.3-02854 and higher versions to address the issue.
23 January 2025