Critical Vulnerability in Cleo Software (CVE-2024-50623)

Executive Summary

On December 10th, software vendor Cleo published an advisory detailing a critical vulnerability (CVE- 2024-50623) in their Harmony, VLTrader, and LexiCom products which allows an unauthenticated attacker to upload malicious files and abuse a system autorun feature to achieve remote code execution (RCE). These products are B2B data transfer systems, which organizations must deploy as internet facing by design. As a result, successful exploit of this vulnerability gives threat actors initial access into affected organizations’ networks to facilitate further compromise. Several sources are reporting that this vulnerability is currently under active exploitation by threat actor groups.

Cleo had released software patches at the initial reporting of this vulnerability, however analysis from security firm Huntress revealed the patches were ineffective, and fully updated systems were still being actively exploited. Cleo followed-up with another set of patches, which appear to fix the vulnerability. Additionally, Cleo have provided mitigation steps including disabling the AutoRun feature within the software which is actively being exploited. Please find more details in the “Mitigations and Workarounds” section of this article.

Beazley Security strongly recommends organizations immediately apply mitigations for affected Cleo products as there is active and ongoing exploitation of this issue.

Affected Systems and Products

This vulnerability affects Cleo products Harmony, VLTrader, and LexiCom. Official patches have been released and are detailed below.

Versions	Affected	Unaffected
Cleo Harmony	prior to version 5.8.0.24	5.8.0.24
Cleo VLTrader	prior to version 5.8.0.24	5.8.0.24
Cleo LexiCom	prior to version 5.8.0.24	5.8.0.24

Mitigations and Workarounds

Cleo has advised customers to immediately upgrade impacted versions of Harmony, VLTrader, and LexiCom to version 5.8.0.24 of software.

Beazley Security Labs recommends affected organizations install the patch immediately as this vulnerability is actively being exploited by threat actors. Affected organizations should, at the very least, disable the AutoRun feature on their Harmony, VLTrader, and LexiCom systems until the patch can be installed.

Huntress have detailed a workaround to disable the autorun feature to prevent arbitrary execution in Cleo software, however this does not fix the initial file-write vulnerability. The patch is the only way to fully mitigate the attack. Steps to disable the arbitrary execution include:

Go to the “configure” menu of LexiCom, Harmony, or VLTrader
Select “Options”
Navigate to the “Other” pane
Delete the contents of “Autorun Directory” field

In summary, organizations should verify the integrity of these products and apply security patches directly from Cleo. See the “Indicators of Compromise” section for guidance on artifacts to look for when reviewing systems for possible compromise.

Patches

Cleo has provided this link with instructions on how to apply available patches. The patch updates Harmony, VLTrader, and Lexicom to version 5.8.0.24 which reportedly fix the vulnerability.

Patch notes indicate the fix “addresses a critical vulnerability which exploits the ability for unrestricted file upload, download, and execution” of malicious content in the product. After applying the patch, errors are logged for files found at startup related to the exploit. The patch also states it will remove any related files if discovered.

Indicators of Compromise (IOC)

Huntress have provided observed IoCs on their blog including the following callback IP addresses:

176.123.5.126
5.149.249.226
185.181.230.103
209.127.12.38
181.214.147.164
192.119.99.42

Additionally, the primary use of the arbitrary file upload bug was to upload malicious scripts into the autoruns directory. Affected organizations should review activity logs for that directory for suspicious activity.

Technical Details

The vulnerability that appears to be the root of the problem (CVE-2024-50623) is an arbitrary file upload and download vulnerability. According to analysis done by Huntress, threat actors were abusing this vulnerability to upload malicious scripts into an autorun folder that is part of the Cleo system architecture.

This autorun system would automatically execute malicious scripts, then delete those scripts upon execution. This autorun system was the primary feature abused by the threat actor in follow-up actions and was seen being used to upload further scripts and install and execute malicious Java programs to perform reconnaissance on internal networks.

How Beazley Security is Responding

Beazley Security is monitoring client perimeter devices through our Karma product to identify impacted devices and support organizations in remediation of any issues found.

We are also conducting threat hunts across our MDR environment in order to detect potential exploitation attempts against our clients.

Sources

Download PDF

Aware of an incident impacting your industry? Let us know:

Report an incident

Prepare

Implement

Defend

Respond

Manage Risk

Beazley Insured

Featured Industries

Enabling readiness and resilience from pre-breach to remediation.

Bringing extensive experience to every engagement.

Nice to meet you. Find out more about our company here.

The latest insights and advisories from our team