Cleo Software Actively Being Exploited in the Wild

Tags

External References

• https://www.huntress.com/
• https://otx.alienvault.com/

Description

A critical vulnerability in Cleo's LexiCom, VLTransfer, and Harmony software, used for file transfer management, is being actively exploited. The flaw allows unauthenticated remote code execution, affecting all versions up to and including 5.8.0.21. Attackers are exploiting this vulnerability to drop malicious files, execute PowerShell commands, and gain persistence on affected systems. The attack chain involves placing files in the 'autorun' directory and leveraging the software's import functionality. Post-exploitation activities include domain reconnaissance and potential Active Directory enumeration. Multiple businesses, particularly in consumer products, food industry, trucking, and shipping sectors, have been compromised. Huntress researchers have developed a proof-of-concept and are working with Cleo to address the issue.

Date