On December 11, 2024, Cleo released patches addressing the zero-day vulnerability recently observed in attacks targeting Cleo Managed File Transfer (MFT) products.
This vulnerability allowed unauthenticated threat actors to import and execute arbitrary shell commands on Windows and Linux on affected devices by exploiting default settings of the Autorun directory. The fix is included in version 5.8.0.24, and is now available for Cleo Harmony, VLTrader, and Lexicom. Cleo has also stated that after applying the update, any files found to be related to the exploit at startup will be logged and removed.
As documented in our recently published research blog article, Arctic Wolf began observing this novel campaign on December 7, 2024, targeting Cleo MFT products across multiple customer environments. While the vulnerability was initially suspected to be linked to CVE-2024-50623, a remote code execution (RCE) vulnerability involving filesystem manipulation, a CVE identifier for this vulnerability has not been assigned to this issue yet.
With a proof of concept (PoC) exploit now available, threat actors are likely to continue targeting this vulnerability. Ransomware groups, in particular, are likely to exploit it; reports have emerged suggesting that threat actors deploying Termite ransomware may have been using the zero-day.
Recommendations
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version of their respective Cleo product as soon as possible.
| Product | Affected Version | Fixed Version |
| Cleo Harmony | Versions prior to 5.8.0.24 | 5.8.0.24 |
| Cleo VLTrader | ||
| Cleo Lexicom |
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
Workaround
Remove Internet-Exposed Cleo Systems from the Internet
If patching is not an option for your organization at this time, Arctic Wolf strongly recommends that you remove any internet-exposed Cleo systems from the internet until you are able to apply the patch.
References
Stay up to date with the latest security incidents and trends from Arctic Wolf Labs.
Explore the latest global threats with the 2024 Arctic Wolf Labs Threats Report.
