Everything you need to know about the Cleo file transfer vulnerability, including affected products, patches, and temporary mitigations

Threat actors are actively exploiting a flaw in three popular Cleo solutions, with customers advised to take affected products offline immediately

featured-image

A in the popular managed file transfer (MFT) service from software company Cleo is being actively exploited by threat actors, researchers have warned. Reports from multiple security firms have warned that three different Cleo products were being attacked in the wild, including Cleo Harmony, the firm’s widely-used file transfer service capability. VLTrader, a -side solution aimed at mid-sized corporations, and Lexicom, a desktop-based client for communication with major trading networks, were also impacted by the flaw according to Cleo.

The vulnerability affects versions of all three products prior to the 5.8.0.



21 release, Cleo added, urging firms to . Cleo the flaw, CVE-2024-50623, as an unrestricted file upload and download vulnerability, warning attackers could exploit the weakness to remotely execute arbitrary code on target systems. Security company Huntress published a flagging that it had collected evidence showing the flaw was under active exploitation on 9 December.

“We’ve directly observed evidence of threat actors exploiting this software en masse and performing post-exploitation activity,” Huntress’s research team warned. The report said that based on its telemetry, it had discovered at least 10 businesses whose Cleo servers were compromised, with evidence of exploitation as early as 3 December but with a “notable uptick” on 8 December. The majority of the compromised businesses identified by Huntress were operating in the consumer products, food, trucking, and , but researchers added that there were still several other organizations they could not identify that could also have been compromised.

Customers advised to ‘pull the plug’ on affected products after Cleo patch found to be vulnerable to exploitation A from security firm Rapid7 confirmed successful exploitation of the vulnerability of some of its customer’s environment, revealing it was investigating multiple incidents after observing enumeration and post-exploitation activity. Last year saw the catastrophic impacts of exploiting vulnerabilities in popular file transfer software with the in 2023. noted that file transfer software remains a popular target for threat actors looking to generate income.

“ continues to be a target for adversaries, and for financially motivated threat actors in particular. Rapid7 recommends taking emergency action to mitigate risk related to this threat.” Security researcher Kevin Beaumont took to social media to that there is evidence the Termite ransomware group, potentially in collaboration with other groups, may be responsible for the zero day.

Beaumont also advised organizations to “fully pull the plug” on impacted Cleo products in their until there was more clarity from the vendor. Initially, Cleo issued a paywalled advisory on the issue, stating the application for it to be designated as a was still under approval. Huntress’s report warned businesses that the 5.

8.0.21 patched versions were insufficient in protecting against the attacks it had observed in the wild, stating fully-patched systems may still be vulnerable to exploitation.

In a Zoom call with Huntress, security personnel at Cleo said the company was working on making a as soon as possible, expected to be released within a week. In the meantime, businesses can limit their by reconfiguring the Cleo software to disable the autoruns feature, which allows command files to be automatically processed. This will inhibit the second stage of the attack path that relies on using the autorun feature for .

Huntress advised that until an effective patch is released, affected customers should ensure any Cleo systems exposed to the public internet are protected behind a ..