New Cleo zero-day RCE flaw exploited in data theft attacks

Hackers are actively exploiting a zero-day vulnerability in Cleo managed file transfer software to breach corporate networks and conduct data theft attacks.

The flaw is found in the company's secure file transfer products, Cleo LexiCom, VLTrader, and Harmony, and is a remote code execution flaw tracked as CVE-2023-34362.

The Cleo MFT vulnerability affects versions 5.8.0.21 and earlier and is a bypass for a previously fixed flaw, CVE-2024-50623, which Cleo addressed in October 2024. However, the fix was incomplete, allowing threat actors to bypass it and continue to exploit it in attacks.

Cleo says its software is used by 4,000 companies worldwide, including Target, Walmart, Lowes, CVS, The Home Depot, FedEx, Kroger, Wayfair, Dollar General, Victrola, and Duraflame.

These attacks are reminiscent of previous Clop data theft attacks that exploited zero-days in managed file transfer products, including the 2023 mass-exploitation of MOVEit Transfer, the attacks using a GoAnywhere MFT zero-day, and the December 2020 zero-day exploitation of Accellion FTA servers.

However, cybersecurity expert Kevin Beaumont claims that these Cleo data theft attacks are linked to the new Termite ransomware gang, which recently breached Blue Yonder, a supply chain software provider used by many companies worldwide.

"Termite ransomware group operators (and maybe other groups) have a zero day exploit for Cleo LexiCom, VLTransfer, and Harmony," Beaumont posted to Mastodon.

In-the-wild attacks

The active exploitation of Cleo MFT software was first spotted by Huntress security researchers, who also published a proof of concept (PoC) exploit in a new write-up warning users to take urgent action.

"This vulnerability is being actively exploited in the wild and fully patched systems running 5.8.0.21 are still exploitable," explains Huntress.

"We strongly recommend you move any internet-exposed Cleo systems behind a firewall until a new patch is released."

Evidence of active exploitation of CVE-2024-50623 began on December 3, 2024, with a significant uptick in the volume of attacks observed on December 8.

Though attribution remains unclear, the attacks are linked to the following IP addresses in the United States, Canada, the Netherlands, Lithuania, and Moldova.

176.123.5.126 - AS 200019 (AlexHost SRL) - Moldova 

5.149.249.226 - AS 59711 (HZ Hosting Ltd) - Netherlands 

185.181.230.103 - AS 60602 (Inovare-Prim SRL) - Moldova

209.127.12.38 - AS 55286 (SERVER-MANIA / B2 Net Solutions Inc) - Canada

181.214.147.164 - AS 15440 (UAB Baltnetos komunikacijos) - Lithuania‍

192.119.99.42  - AS 54290 (HOSTWINDS LLC) - United States

The attacks exploit the Cleo flaw to write files named 'healthchecktemplate.txt' or 'healthcheck.txt' into the 'autorun' directory of the targeted endpoints, which are automatically processed by Cleo software.

When this happens, the files invoke built-in import functionalities to load additional payloads like ZIP files containing XML configurations ('main.xml'), which contain PowerShell commands that will be executed.

The PowerShell commands make callback connections to remote IP addresses, download additional JAR payloads, and wipe malicious files to hinder forensic investigation.

In the post-exploitation phase, Huntress says the attackers use 'nltest.exe' to enumerate Active Directory domains, deploy webshells for persistent remote access on compromised systems, and use TCP channels to ultimately steal data.

Huntress' telemetry indicates that these attacks have impacted at least ten organizations using Cleo software products, some of which do business in consumer products, the food industry, trucking, and shipping.

Huntress notes that there are more potential victims beyond its visibility, with Shodan internet scans returning 390 results for Cleo software products, The vast majority (298) of vulnerable servers are located in the United States.

Yutaka Sejiyama, a threat researcher at Macnica, told BleepingComputer that his scans return 379 results for Harmony, 124 for VLTrader, and 240 for LexiCom.

Action required

Given the active exploitation of CVE-2024-50623 and the ineffectiveness of the current patch (version 5.8.0.21), users must take immediate steps to mitigate the risk of compromise.

Huntress suggests moving internet-exposed systems behind a firewall and restricting external access to Cleo systems.

Also, it's recommended to turn off the autorun feature by following these steps:

1. Open the Cleo application (LexiCom, VLTrader, or Harmony)
2. Navigate to: Configure > Options > Other Pane
3. Clear the field labeled Autorun Directory
4. Save the changes

Check for compromise by looking for suspicious TXT and XML files on the directories 'C:\LexiCom,' 'C:\VLTrader,' and 'C:\Harmony,' and inspect logs for PowerShell command execution.

Huntress says Cleo expects a new security update for this flaw to be released later this week.

BleepingComputer has contacted Cleo with additional questions, and we will update this post as soon as we receive a response.