A critical vulnerability in Cleo file-transfer software was assigned a CVE two days after the company released a patch.
The vulnerability, listed as CVE-2024-55956, allows an unauthenticated user to import and execute arbitrary bash or PowerShell commands on a host system. The vulnerability impacts Cleo Harmony, VLTrader and Lexicom, prior to versions 5.8.0.24.
The vulnerability was discovered after Huntress researchers determined a patch for an unrestricted file upload and download vulnerability, listed as CVE-2024-50623, was not offering full protection against attacks. That vulnerability, originally disclosed in October, affects versions 5.8.0.21.
Security researchers say the vulnerabilities have been under active exploitation at least since Dec. 3, with a range of companies targeted in consumer products, the food industry, retail, trucking and other sectors.
The security community has criticized the company for the delay in designating the CVE and a lack of clarity in which vulnerability was most at risk.
“CVE identifiers allow organizations and the broader community to track and prioritize risk more effectively, as do vulnerability details that allow folks to understand the root cause of security issues and their potential impacts within an organization's specific risk model,” said Caitlin Condon, director of vulnerability intelligence at Rapid7.
Condon said there’s been some public confusion about the role of the October CVE compared with the zero-day vulnerability disclosed earlier this month.
“CVE identifiers are how most organizations gain visibility into each unique vulnerability and the affected software,” Patrick Garrity, security researcher at VulnCheck, said via email.
The recently disclosed vulnerability, CVE-2024-55956, is not a bypass of the patch, but a brand new vulnerability with a different root cause and exploitation strategy, Rapid7 researchers said in a Monday blog post.
“In other words, it’s a net-new zero-day bug rather than a straightforward patch bypass, with different implications for attack workflows despite occurring in a similar area of the Cleo product as CVE-2024-50623 and leveraging the same endpoint,” Condon told Cybersecurity Dive.
Based on the indicators of compromise published by Cleo, CVE-2024-50623 was leveraged to achieve remote code execution via server-side template injection, according to Stephen Fewer, principal security researcher at Rapid7.
“We think this strategy required credentials, so the attacker could have leveraged CVE-2024-50623 to also get credentials, as it’s both a file read and write vulnerability,” Fewer said.
The Cybersecurity and Infrastructure Security Agency added CVE-2024-50623 to its known exploited vulnerabilities catalog on Friday and noted it has been exploited in ransomware attacks.
CISA has been monitoring the threat activity and encouraged Cleo customers to actively update their systems, according to one official. The agency also encouraged customers to actively track end-of-life and end-of-support software and hardware, and to replace them if necessary.
Shadowserver on Sunday reported 930 vulnerable instances of CVE-2024-50623, with about 720 instances exposed in the U.S.
Clop, the financially motivated threat group linked to the MOVEit attack spree, released a cryptic statement through a data leak site stating it would delete links to data of all companies and permanently delete data from all servers.
Huntress researchers confirmed the claim was released through a Clop data leak site.
