Cleo Zero-Day RCE Vulnerability Actively Exploited in the Wild

A critical zero-day vulnerability (CVE-2024-50623) in Cleo’s file transfer products Harmony, VLTrader, and LexiComis being actively exploited by threat actors, cybersecurity researchers have warned.

The vulnerability, caused by unrestricted file upload and download, allows unauthenticated remote code execution (RCE), which poses a significant risk to businesses that rely on Cleo’s software for secure file transfers.

Initially disclosed in October 2024, Cleo released patch version 5.8.0.21 to address the vulnerability. However, researchers from Huntress discovered that this patch failed to mitigate the issue fully.

Exploitation of the vulnerability began as early as December 3, 2024, with a sharp increase in attacks observed on December 8. The attackers leverage the flaw to place malicious files in the “autorun” directory of Cleo installations, enabling arbitrary code execution via embedded PowerShell commands or other scripts.

The exploitation has targeted at least 10 businesses across industries such as consumer products, logistics, and food supply. Notably, Huntress detected over 1,700 vulnerable Cleo servers under its monitoring, suggesting a broader scope of potential compromise.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

The vulnerability affects all versions of Cleo Harmony, VLTrader, and LexiCom prior to and including version 5.8.0.21. Even systems updated to this patch remain exploitable due to incomplete remediation.

According to Kevin Beaumont, Termite ransomware group operators exploit the vulnerability to deploy ransomware.

Observed Attack Techniques

Threat actors exploit the vulnerability by:

• Uploading malicious files into the “autorun” directory.
• Leveraging these files to execute embedded commands, such as PowerShell scripts.
• Establishing persistence through backdoor mechanisms.
• Conducting reconnaissance activities within compromised networks.

Indicators of compromise include suspicious XML files in installation directories (e.g., hosts/main.xml) and logs showing unauthorized file imports or PowerShell execution.

Cleo has urged customers to upgrade to version 5.8.0.21 immediately while acknowledging its limitations. A new patch is expected later this week to fully address the vulnerability. In the interim, organizations are advised to:

• Move internet-exposed Cleo systems behind a firewall.
• Disable the “autorun” feature within Cleo software by navigating to Configure > Options > Other Pane and clearing the “Autorun Directory” field.
• Monitor installation directories for suspicious files or unauthorized changes.
• Block known malicious IP addresses linked to these attacks.

This incident underscores growing threats against managed file transfer (MFT) tools, reminiscent of past high-profile exploits like the MOVEit campaign. Attackers increasingly target enterprise software handling sensitive data transfer processes, exploiting vulnerabilities to breach corporate networks and exfiltrate data.

Organizations using Cleo’s products must act swiftly to implement mitigations and monitor for signs of compromise while awaiting a comprehensive patch from Cleo.

Investigate Real-World Malicious Links,Malware & Phishing Attacks With ANY.RUN - Try for Free