Cleo-managed file transfer software users are advised to update their instances immediately due to mass exploitation of a vulnerability that affects fully patched systems. The vulnerability, tracked as CVE-2024-50623, is a case of unauthenticated remote code execution caused by an unrestricted file upload.
According to cybersecurity company Huntress, the issue was discovered on December 3, 2024, and has been found to be exploited in at least 10 businesses. Ransomware groups like Cl0p have claimed responsibility for the attacks, which use a modified version of Babuk ransomware and exploit the Cleo software’s “autorun” directory.
The affected products include Cleo Harmony, VLTrader, and LexiCom, with versions up to 5.8.0.24 available for download. Coinciding with the release of patches, security researchers have made available a proof-of-concept exploit that can be used to achieve arbitrary file read/write on vulnerable versions.
Cleo has launched an investigation and notified customers of the issue, providing mitigation steps and recommending immediate patch application. The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-50623 to its KEV catalog, confirming active exploitation in ransomware campaigns. Federal agencies are recommended to apply patches by January 3, 2025.
Customers are encouraged to check Cleo’s security bulletin webpage regularly for updates and to apply the available patch immediately to address this vulnerability.
Source: https://thehackernews.com/2024/12/cleo-file-transfer-vulnerability-under.html