Enterprise software firm Cleo has issued a critical security patch (version 5.8.0.24) to address an actively exploited zero-day vulnerability in its Harmony, VLTrader, and LexiCom file transfer tools. The flaw, which remains under investigation, allows unauthenticated attackers to execute arbitrary commands on the host system and conduct unrestricted file uploads and downloads.
Security researchers, including those at Huntress, Rapid7, and Sophos, confirmed that the vulnerability (initially tracked as CVE-2024-50623) has been exploited in the wild since at least 3 December. Reports indicate that the exploitation could lead to remote code execution, enabling attackers to gain full control of targeted servers.
Exploitation details and associated risks
The vulnerability was first addressed by Cleo in late October with a patch for CVE-2024-50623. However, attackers discovered a bypass, which has since been actively exploited. On 3 December, Huntress researchers observed a surge in attacks, with organisations in the retail, food, and shipping sectors being targeted.
The malware used in these attacks has been identified as a Java-based post-exploitation framework and remote access trojan (RAT). This framework facilitates reconnaissance, command execution, and file exfiltration while maintaining encrypted command-and-control (C&C) communications. Independent analyses by Huntress, Rapid7, and Binary Defense confirmed its functionality but did not attribute it to a specific threat group.
There are also unconfirmed reports linking these attacks to the Termite ransomware group, which recently targeted Blue Yonder, a provider of supply chain software. Termite is alleged to have stolen 680 GB of data from Blue Yonder, affecting high-profile clients such as Starbucks and major grocery chains.
Cleo released version 5.8.0.24 on Wednesday, which includes fixes for the vulnerability and additional measures to block potential attack vectors. The patch detects and removes exploit-related files at startup, logging errors for affected systems. Cleo strongly urged customers to implement the update immediately. “After applying the patch, errors are logged for any files found at startup related to this exploit, and those files are removed,” said the company.
For organisations unable to patch immediately, Cleo recommends disabling the Autorun feature as a temporary mitigation, though this does not fully prevent attacks.
Shodan data shows 421 Cleo servers are publicly accessible, with 327 located in the US. Additional research by Macnica identified over 700 exposed servers running Harmony, VLTrader, and LexiCom, further underscoring the urgency of patching.
At least 10 organisations have been confirmed as victims of the exploitation, with security firms noting potential compromises in over 50 additional systems. The attackers’ primary objective is suspected to be the theft of sensitive information from businesses relying on Cleo’s software.
Although the latest patch appears to address the vulnerability effectively, Huntress noted that it has only tested the fix against its proof-of-concept and has not performed a full code review. Furthermore, with hundreds of exposed servers online and the increased availability of technical details, it is possible that multiple threat actors are now exploiting the flaw.
The situation draws parallels to the MOVEit campaign, where the Cl0p ransomware group exploited vulnerabilities in Progress Software’s MOVEit transfer tool to exfiltrate data from thousands of organisations. Experts warn that incidents involving file transfer tools highlight the critical need for rapid response and ongoing security updates to prevent further breaches.
Read more: MOVEit Transfer publisher Progress Software patches critical FTP flaws
