Mass Hacks Perpetrated via Cleo File Transfer Tool Flaw

Hackers are exploiting a critical vulnerability in Cleo’s file transfer software, impacting enterprises globally. The flaw, tracked as CVE-2024-50623, affects Cleo’s Harmony, VLTrader, and LexiCom products, widely used for managing secure data transfers. Cybersecurity firm Huntress revealed that despite a patch issued in October, the vulnerability remains exploitable, leading to widespread attacks that have been occurring since early December.

According to the security advisory released by Cleo, the vulnerability allows attackers to perform unrestricted file uploads/downloads and remote code execution, even on systems updated to version 5.8.0.21. Huntress observed exploitation beginning on December 3, with a sharp uptick in activity by December 8. The firm also highlighted that many Cleo servers remain internet-exposed, as evidenced by Shodan scans.

Cleo’s Senior Vice President of Product Development, Jorge Rodriguez, confirmed that the company is developing a new patch to address the issue. However, Cleo has not disclosed how many customers were affected by the attacks or whether sensitive data has been exfiltrated. At least 24 businesses, including logistics and food supply companies, have reported server compromises, Huntress researcher John Hammond told TechCrunch.

The ongoing exploitation of Cleo’s tools comes amid rising concerns over vulnerabilities in widely used enterprise software. Similar risks were recently highlighted when researchers discovered a Windows Update flaw enabling downgrade attacks, which shows the urgency of securing critical infrastructure.

Security researchers warn that the Cleo flaw is reminiscent of previous attacks on file transfer systems, such as those targeting MOVEit and GoAnywhere, which resulted in widespread data breaches. According to SecurityWeek, threat actors exploiting Cleo’s vulnerability have been observed establishing persistence on compromised systems, conducting reconnaissance, and other unspecified post-exploitation activity.

Huntress has urged organizations using Cleo products to move internet-exposed systems behind firewalls and to disable the autorun feature. The cybersecurity firm noted that the malicious XML or text files linked to the exploitation appear in the “hosts” subdirectory of a software installation, and can invoke PowerShell commands to download additional payloads.

Cleo has over 4,200 customers worldwide, including major companies such as Target, Walmart, and FedEx. As organizations await a new patch from Cleo, experts stress the importance of immediate protective measures to safeguard critical business operations.