Cleo Software Actively Being Exploited in the Wild

Dec. 10, 2024, 3:03 p.m.

Description

A critical vulnerability in Cleo's LexiCom, VLTransfer, and Harmony software, used for file transfer management, is being actively exploited. The flaw allows unauthenticated remote code execution, affecting all versions up to and including 5.8.0.21. Attackers are exploiting this vulnerability to drop malicious files, execute PowerShell commands, and gain persistence on affected systems. The attack chain involves placing files in the 'autorun' directory and leveraging the software's import functionality. Post-exploitation activities include domain reconnaissance and potential Active Directory enumeration. Multiple businesses, particularly in consumer products, food industry, trucking, and shipping sectors, have been compromised. Huntress researchers have developed a proof-of-concept and are working with Cleo to address the issue.

External References

https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
https://otx.alienvault.com/pulse/675828c0524200b9f9ebcf94
Tags
vulnerability
CVE-2024-50623
2024-12-10
cleo
file transfer software
lexicom
vltransfer
harmony

Date

  • Created: Dec. 10, 2024, 11:40 a.m.
  • Published: Dec. 10, 2024, 11:40 a.m.
  • Modified: Dec. 10, 2024, 3:03 p.m.

Indicators

  • 192.119.99.42
  • 209.127.12.38
  • 5.149.249.226
  • 176.123.5.126
Download all indicators here!

Attack Patterns

  • T1078.002
  • T1021.001
  • T1018
  • T1136
  • T1059.001
  • T1087
  • T1082
  • T1105
  • T1083
  • T1133
  • T1078

Additional Informations

  • Retail
  • Transportation
  • Manufacturing