overview

CVE-2024-50623 is a critical vulnerability in Cleo's file transfer products—Harmony, VLTrader, and LexiCom—allowing unauthenticated remote code execution through unrestricted file upload and download mechanisms. This flaw enables attackers to execute arbitrary code on affected systems, posing significant security risks. 

Affected Products and Versions: 

  • Cleo Harmony® versions prior to 5.8.0.21 
  • Cleo VLTrader® versions prior to 5.8.0.21 
  • Cleo LexiCom® versions prior to 5.8.0.21 

Cleo released version 5.8.0.21 to address this vulnerability, but subsequent reports indicated that this patch was insufficient, leaving systems vulnerable. Cleo has since released an updated patch in version 5.8.0.24 to fully mitigate the issue. (Rapid7) 

The vulnerability has been actively exploited in the wild, with attackers leveraging the autorun feature to upload malicious files that execute arbitrary commands, including PowerShell scripts for persistence and lateral movement. Industries such as consumer products, food, trucking, and shipping have been targeted.  

 

 

how avertium is protecting our customers

 

IOCs ADDED TO OUR THREAT FEEDS

NOTE!: Avertium is actively searching across all monitored environments for the IoC’s listed below. If any are discovered, we will reach out to you directly. If your environment or portions of your environment are not currently being monitored, please reach out to your Service Delivery Manager. 
  • healthchecktemplate.txt 
  • 60282967-dc91-40ef-a34c-38e992509c2c.xml

 

TTPs TO MONITOR

Initial Access: 

  • Exploit Public-Facing Application (T1190): Attackers exploit the unrestricted file upload vulnerability to gain unauthorized access to the system.  

Rapid7 

Execution: 

  • Command and Scripting Interpreter (T1059): Post-exploitation, adversaries execute commands via scripts, such as PowerShell, to control the compromised system.  

Rapid7 

Discovery: 

  • System Owner/User Discovery (T1033): Attackers gather information about user accounts on the compromised system. 
  • System Information Discovery (T1082): Adversaries collect details about the system's configuration and software. 
  • Domain Trust Discovery (T1482): Exploration of domain trust relationships to facilitate lateral movement. 
  • Permission Groups Discovery (T1069): Enumeration of user groups and permissions to identify potential escalation paths.  

Rapid7 

Lateral Movement: 

  • Use Alternate Authentication Material: Pass the Hash (T1550.002): Utilizing captured credentials to move laterally within the network. 

 

 

additional recommendations + information

1. Immediate Mitigation: 
  • Move any internet-exposed Cleo systems behind a firewall. 
  • Disable the autorun feature in affected software: 
  • Go to Configure → Options → Other Pane and delete the contents of the Autorun Directory field. 
2. Patch and Monitor Systems: 
  • Monitor Cleo’s announcements for the upcoming patch release. 
  • Apply the patch immediately when available. 
3. Network Security: 
  • Block known malicious IP addresses at the network level. 
  • Isolate affected systems and monitor for abnormal behavior, such as unexpected PowerShell executions. 

 

 

ADDITIONAL SERVICE OFFERINGS

  • Fusion MXDR  is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
  • Security Information and Event Management (SIEM) - Minimizing the impact of a successful ransomware or malware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior. 
  • Avertium aligns your Cybersecurity Strategy with your business strategy, ensuring that your investment in security is also an investment in your business. Our Cybersecurity Strategy service includes:  
    • Strategic Security Assessments - Strengthening your security posture begins with knowing where your current program stands (NIST CSF, Security Architecture, Business Impact Analysis, Sensitive Data Inventory, Network Virtualization and Cloud Assessment). 
    • Threat Mapping – Leverage Avertium’s Cyber Threat Intelligence, getting a more informed view of your most likely attack scenarios (Threat Assessment and MITRE ATT&CK). 
    • Cyber Maturity Roadmap - Embrace a comprehensive, quantifiable, and well-organized approach to establishing and continuously enhancing your cybersecurity resilience (Policy + Procedure Development, Virtual CISO (VCISO), Training + Enablement, Tabletop Exercises, and Business Continuity + Disaster Recovery Plan).




 

SUPPORTING DOCUMENTATION

National Vulnerability Database 

Widespread Exploitation of Cleo File Transfer Software (CVE-2024-55956) 

Security Advisory: Critical Vulnerabilities in Cleo VLTrader, Harmony, and LexiCom Actively Exploited (CVE-2024-50623) 

Cleo Product Security Advisory - CVE-2024-50623 

 

 
Chat With One of Our Experts



RCE Remote Code Execution (RCE) vulnerabilities Remote Code Execution vulnerabilities Flash Notice Critical Vulnerability Blog