Are Your Systems Vulnerable to Cleo File-Transfer Software Exploits?

December 17, 2024

In the realm of cybersecurity, the recent revelation of a critical vulnerability within Cleo file-transfer software has sent shockwaves through the industry, prompting questions and concerns regarding the integrity and safety of systems dependent on this technology. Identified as CVE-2024-55956, this vulnerability allows an unauthenticated user to import and execute arbitrary bash or PowerShell commands on a host system, presenting a significant risk to the affected software. The vulnerability impacts versions of Cleo Harmony, VLTrader, and Lexicom that precede 5.8.0.24. It was uncovered after researchers from Huntress determined that a patch aimed at mitigating an earlier vulnerability, CVE-2024-50623, did not offer complete protection against potentially malicious exploits. Notably, both vulnerabilities have been actively exploited since at least December 3, with targeted attacks on companies spanning a variety of sectors including consumer products, food, retail, and trucking, making the situation all the more alarming.

The Significance of CVE Assignments in Managing Security Risks

The security community has vocalized its criticism towards Cleo for the delay in assigning a CVE identifier and for the ambiguity surrounding which vulnerability posed the greatest threat. Vulnerability identifiers like CVE numbers play a crucial role for organizations in assessing and prioritizing risks effectively. Caitlin Condon, a security expert from Rapid7, stressed the necessity of CVE identifiers in aiding organizations to comprehend the root causes, potential impacts, and specific risk models associated with security issues. This sentiment was echoed by Patrick Garrity from VulnCheck, who underscored the importance of CVEs in providing organizations with visibility into unique vulnerabilities and the software affected by them. The assignment of CVEs equips businesses with the tools needed to address security risks more systematically and strategically, enabling them to respond swiftly and efficiently to emerging threats.

The newly disclosed CVE-2024-55956 is distinguished from its predecessor, CVE-2024-50623, by its unique root cause and exploitation strategy. Whereas CVE-2024-50623 involved a remote code execution vulnerability via server-side template injection and required credentials, CVE-2024-55956 epitomizes a zero-day vulnerability with distinct attack workflows and implications. Rapid7 researchers noted that the older vulnerability, CVE-2024-50623, was likely exploited to achieve remote code execution and credential theft, as it facilitated both file reading and writing—a fact that highlights the necessity of thorough patching and ongoing vigilance in securing systems from such persistent threats.

Actions Taken by Security Agencies and Threat Intelligence Groups

The Cybersecurity and Infrastructure Security Agency (CISA) responded swiftly by adding CVE-2024-50623 to its catalog of known exploited vulnerabilities. CISA also acknowledged its utilization in ransomware attacks, further intensifying the need for organizations to address the vulnerability with the utmost urgency. Moreover, CISA encouraged Cleo users to update their systems without delay and to consistently monitor and replace end-of-life software and hardware, ensuring that their security defenses are robust and up-to-date. Reports from Shadowserver indicated the presence of 930 vulnerable instances of CVE-2024-50623, with roughly 720 exposed in the United States alone, underscoring the widespread nature of the threat.

The narrative took an additional turn with the involvement of Clop, a financially motivated threat group associated with the notorious MOVEit attack spree. Clop issued a statement claiming the intention to delete links to data from all affected companies and to permanently remove data from all servers, a claim verified by Huntress researchers via a Clop data leak site. This development not only sheds light on the activities and promises of threat actors but also serves as a reminder of the ongoing and evolving nature of cybersecurity threats.

Conclusion: Moving Forward and Enhancing Security Postures

In the cybersecurity world, the discovery of a critical vulnerability in Cleo file-transfer software has created significant concern about the security and reliability of systems using this technology. Known as CVE-2024-55956, this vulnerability allows unauthorized users to execute arbitrary bash or PowerShell commands on a host system, posing a serious threat to the affected software. The issue affects Cleo Harmony, VLTrader, and Lexicom versions earlier than 5.8.0.24. Researchers from Huntress found this vulnerability after determining that a patch designed to fix an earlier issue, CVE-2024-50623, was not fully effective in preventing malicious exploits. Both vulnerabilities have been actively exploited since at least December 3, targeting companies in diverse sectors such as consumer products, food, retail, and trucking. This revelation underscores the urgent need for updated security measures, as the ongoing targeted attacks highlight the critical nature of this vulnerability.

Subscribe to our weekly news digest.

Join now and become a part of our fast-growing community.

Invalid Email Address
Thanks for Subscribing!
We'll be sending you our best soon!
Something went wrong, please try again later