### #CleoHarmonyExploitation #RCEThreats #FileTransferVulnerabilities
Summary: Huntress Labs has alerted organizations about the exploitation of a critical vulnerability (CVE-2024-50623) in Cleo’s software, allowing unauthenticated remote code execution. This vulnerability poses significant risks to industries reliant on file transfer management, with evidence of widespread attacks emerging.
Threat Actor: Unknown | unknown
Victim: Various organizations | various organizations
Key Point :
- Active exploitation of CVE-2024-50623 affects Cleo’s Harmony, VLTrader, and LexiCom software, allowing remote code execution.
- Threat actors are targeting a wide range of industries, including logistics and consumer products, with many vulnerable systems exposed on Shodan.
- Attackers utilize an arbitrary file-write vulnerability to execute PowerShell commands and maintain command and control through external IPs.
- Huntress recommends isolating affected systems and checking for indicators of compromise, as well as applying forthcoming patches urgently.
- A proof-of-concept has been developed by Huntress to illustrate the vulnerability, and collaboration with Cleo is underway to create a comprehensive patch.
Huntress Labs has raised the alarm over the active exploitation of a critical vulnerability (CVE-2024-50623) in Cleo’s Harmony, VLTrader, and LexiCom software, commonly used for managing file transfers. Threat actors are targeting organizations en masse, with significant implications for industries like logistics, shipping, and consumer products.
On December 3, Huntress identified a surge in malicious activity targeting Cleo’s widely used software solutions. This vulnerability allows unauthenticated remote code execution (RCE) and remains exploitable despite a recent patch (version 5.8.0.21). According to Huntress, “We’ve directly observed evidence of threat actors exploiting this software en masse and performing post-exploitation activity.” The flaw impacts all versions of the software up to and including 5.8.0.21.
Victims so far include consumer product companies, food suppliers, and logistics organizations, with many potentially vulnerable systems exposed on Shodan. Huntress also noted a sharp uptick in exploitation on December 8.
The exploitation chain leverages an arbitrary file-write vulnerability. The attackers plant malicious files in Cleo’s autorun directory, which the software automatically processes and deletes post-execution. This mechanism facilitates the execution of PowerShell commands, enabling attackers to retrieve additional payloads, such as JAR files with webshell-like persistence.
One decoded PowerShell command observed by Huntress included:
The attack also incorporates reconnaissance tools like nltest.exe for Active Directory enumeration and employs external IPs such as 176.123.5.126 and 5.149.249.226 to maintain command and control (C2).
Huntress strongly advises isolating internet-facing Cleo systems behind a firewall until a comprehensive patch is available. The current mitigations include disabling autorun functionality by clearing the “Autorun Directory” field within the software’s configuration options. However, this step does not address the underlying file-write vulnerability.
For organizations using Cleo software, Huntress recommends checking for indicators of compromise (IOCs) such as the presence of main.xml or 60282967-dc91-40ef-a34c-38e992509c2c.xml files containing encoded PowerShell commands. Huntress further stresses the urgency of applying any forthcoming patches.
Huntress is collaborating with Cleo to address the vulnerability and has developed a proof-of-concept to illustrate the flaw. “Our team is working to reach the Cleo team to report our findings and develop a new patch to fully mitigate exploitation,” Huntress stated. A new CVE designation and patch are expected soon.