Widespread Exploitation of Cleo File Transfer Software
Essential information
- Published
- 16/12/2024 14:25
- Modified
- 16/12/2024 14:34
- Tags
- 2024-12-16 CVE-2024-55956 cleo
- Related entities
- 2 vulnerabilities (cve), 6 observables, 11 techniques (mitre), 1 malware
Description
Critical vulnerabilities in Cleo file transfer products, including VLTrader, Harmony, and LexiCom, are being actively exploited. Initially stemming from an insufficient patch for CVE-2024-50623, a new critical vulnerability (CVE-2024-55956) allows unauthenticated users to execute arbitrary commands. Exploitation has been confirmed in customer environments, with attackers dropping modular Java backdoors and conducting post-exploitation activities. Affected versions include those prior to 5.8.0.24. Immediate patching and removal from public internet access are recommended. Indicators of compromise and post-exploitation behavior have been observed, including enumeration commands, PowerShell usage, and attempts to clear Windows event logs.