Open Nav
Sign Up

CISA Adds Cleo Bug to Known Exploited Vulnerabilities (CVE-2024-50623)

CVE-2024-50623

Filip Dimitrov

December 16, 2024

On December 13th, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE–2024-50623 to its list of known exploited vulnerabilities after it had been used to launch ransomware attacks. 

The vulnerability affects the Cleo product line, including Harmony, VLTrader, and LexiCom. Cleo is a popular software platform used for secure file transfer, integration, and data movement across enterprises. 

Vulnerability overview:

  • Description: The vulnerability allows unauthenticated attackers to achieve remote code execution (RCE) on vulnerable servers exposed online.
  • Severity: Critical (CVSS Score pending, but high impact and ease of exploitation indicate criticality)
  • Vulnerability Type: CWE-434 (Unrestricted Upload of File with Dangerous Type)
  • Attack Vector: Unrestricted file upload and download functionality.
  • Impact: Remote Code Execution (RCE), leading to potential system compromise and data breaches.
  • Affected Products:
    • Cleo Harmony (versions < 5.8.0.21)
    • VLTrader (versions < 5.8.0.21)
    • LexiCom (versions < 5.8.0.21)

Active exploitation and impact:

CVE–2024-50623 was originally discovered and patched in October, but Cleo did not disclose whether it was being actively exploited in the wild. 

CISA added CVE-2024-50623 to its Known Exploited Vulnerabilities (KEV) catalog on December 13, 2024, confirming its exploitation in ransomware campaigns. However, even patched Cleo servers were found compromised through a zero-day bypass targeting default Autorun folder settings, allowing the execution of arbitrary commands via PowerShell or Bash.

Similarities were drawn between these attacks and the Clop ransomware group, although attribution to specific threat actors remains speculative.

Timeline:

  • October 2024: Initial patch (5.8.0.21) released to address CVE-2024-50623.
  • December 2024:
    • Huntress reports active exploitation of patched systems via a zero-day bypass.
    • Cleo releases a secondary patch (5.8.0.24) to address the zero-day flaw.
    • CISA adds CVE-2024-50623 to its Known Exploited Vulnerabilities catalog, mandating U.S. federal agencies to patch by January 3, 2025, under BOD 22-01.

Mitigation:

  1. Patch Updates: Cleo released a patch in October 2024 (version 5.8.0.21) to address CVE-2024-50623. A subsequent patch (5.8.0.24) fixed the zero-day bypass and secured Autorun settings.
  2. Disable Autorun (if immediate patching is not possible):
    • Clear the Autorun directory from the System Options menu.
    • Disable the feature entirely to reduce the attack surface.
  3. Log Monitoring: Cleo now logs errors for malicious files at startup and removes them.

Stay Secure. Stay Informed.

OP Innovate Research Team.

Under Cyber Attack?

Fill out the form and we will contact you immediately.