Widespread Exploitation of Cleo File Transfer Software

Dec. 16, 2024, 2:34 p.m.

Description

Critical vulnerabilities in Cleo file transfer products, including VLTrader, Harmony, and LexiCom, are being actively exploited. Initially stemming from an insufficient patch for CVE-2024-50623, a new critical vulnerability (CVE-2024-55956) allows unauthenticated users to execute arbitrary commands. Exploitation has been confirmed in customer environments, with attackers dropping modular Java backdoors and conducting post-exploitation activities. Affected versions include those prior to 5.8.0.24. Immediate patching and removal from public internet access are recommended. Indicators of compromise and post-exploitation behavior have been observed, including enumeration commands, PowerShell usage, and attempts to clear Windows event logs.

External References

https://www.rapid7.com/blog/post/2024/12/10/etr-widespread-exploitation-of-cleo-file-transfer-software-cve-2024-50623/
https://otx.alienvault.com/pulse/676038680e5f7630d485df71
Tags
cleo
CVE-2024-55956
2024-12-16

Date

  • Created: Dec. 16, 2024, 2:25 p.m.
  • Published: Dec. 16, 2024, 2:25 p.m.
  • Modified: Dec. 16, 2024, 2:34 p.m.

Indicators

  • 89.248.172.139
  • 45.182.189.102
  • 185.163.204.137
  • 185.162.128.133
  • 185.181.230.103
  • 176.123.10.115
Download all indicators here!

Attack Patterns

  • Cobalt Strike

Linked vulnerabilities

CVE-2024-50623

8.8
    Cleo Harmony
    VLTrader
    LexiCom
Published: October 28, 2024

CVE-2024-55956

9.8
    Cleo
  • Harmony
  • Lexicom
  • Vltrader
Published: December 13, 2024