Multiple Cleo file transfer products being exploited by hackers

Cybersecurity researchers are warning that vulnerabilities in several file transfer products are being exploited by hackers, even after a patch was released by the developer.

The vulnerability — CVE-2024-50623 — was recently patched by software developer Cleo and affects the company’s LexiCom, VLTransfer and Harmony products. However, researchers at cybersecurity firm Huntress say the patch “does not mitigate the software flaw,” and that they’ve seen threat actors exploiting the bug “en masse” over the last week.

“This vulnerability is being actively exploited in the wild and fully patched systems running 5.8.0.21 are still exploitable,” Huntress said. “We strongly recommend you move any internet-exposed Cleo systems behind a firewall until a new patch is released.”

A Cleo spokesperson confirmed that they identified a critical vulnerability in instances of Cleo Harmony, VLTrader and LexiCom products. 

“Promptly upon discovering the vulnerability, we launched an investigation with the assistance of outside cybersecurity experts, notified customers of this issue and provided mitigation steps customers should immediately take to address the vulnerability while a patch is under development,” the spokesperson said. 

“Our investigation is ongoing. Customers are encouraged to check Cleo’s security bulletin webpage regularly for updates.”

Huntress incident responders said they have seen at least 10 businesses using Cleo that have been compromised, adding that there was an uptick in exploitation starting on December 8. 

“After some initial analysis, however, we have found evidence of exploitation as early as December 3. The majority of customers that we saw compromised deal with consumer products, food industry, trucking, and shipping industries,” the company explained.

“There are still several other companies outside of our immediate view who are potentially compromised as well.”

Huntress has spoken to Cleo about its findings and confirmed that Cleo is creating a new CVE that will be patched by the middle of the week. Huntress also published detailed technical information about how incident responders can find evidence of exploitation and more. 

Cybersecurity expert Kevin Beaumont said Cleo initially published a paywalled advisory for customers about the issue before releasing a more limited version publicly on Tuesday. 

Beaumont noted that Termite ransomware group operators have been seen exploiting the vulnerability. The group made headlines last week for its attack on a prominent software company used by dozens of major retailers. 

Incident responders at cybersecurity firm Rapid7 confirmed Huntress’ findings and said they have seen exploitation of the issue in the environments of their customers. 

File transfer tools have become one of the most frequent targets for hackers and several of the biggest data theft campaigns have been sourced back to popular products like MOVEit, GoAnywhere and Accellion.