Exploitation of critical vulnerabilities in Cleo file-transfer software continued Friday as security researchers began to raise concerns over the lack of a CVE designation for a second flaw disclosed earlier this week.
Cleo on Thursday urged users to immediately upgrade to the latest versions of Harmony, VLTrader and LexiCom software after Huntress researchers alerted the company that hackers could still get around a patch issued in October for an unrestricted file upload and download vulnerability, listed as CVE-2024-50623.
The newly discovered vulnerability, which allows unauthenticated attackers to import and execute arbitrary bash or PowerShell commands, has yet to get a CVE designation, almost a week after its discovery.
Researchers at Rapid7 confirmed they’ve seen a small number of successful compromises of the Cleo vulnerability and question why the new CVE is still pending.
“It's unusual for a CVE identifier to take so long to come out, particularly since there are plenty of [CVE Numbering Authorities] who have been available to help,” Caitlin Condon, director of vulnerability intelligence at Rapid7, said via email. “CVE identifiers are important for allowing customers to appropriately track and prioritize risk."
Details of the vulnerability allow the community to understand the nature of vulnerabilities and assess the “potential impact to an organization's particular risk model,” Condon said.
Researchers at Huntress held a Zoom call with Cleo officials on Monday to share details of the exploitation, which showed the October patch was not providing adequate protection. Huntress developed a proof of concept to demonstrate how hackers could get around the patch.
The first sign of exploitation activity related to the newly discovered flaw dates back to Dec. 3, according to Huntress. Other researchers report seeing active exploitation later in the week.
Huntress said CVE designation delays are not that unusual.
“Frankly, the CVE process can take quite some time.... while Huntress is authorized as a CNA and can support,” said John Hammond, principal security researcher at Huntress. “Cleo was already in the process of getting one assigned by the time we spoke at the start of the week.”
Huntress researchers say a malware it calls Malichus is being deployed once threat actors gain access to Cleo systems.
Since last week, Huntress, Sophos, Rapid7 and other security providers have confirmed active exploitation of various organizations, including retail, trucking, shipping, food and other organizations.
Patrick Garrity, security researcher at VulnCheck, said delays like this are often the result of coordination issues.
“Cleo hasn't historically had an incident of this magnitude (that we are aware of) and isn't a CVE Numbering Authority,” Garrity said via email, “so there is often a delay in issuance because of the coordinated disclosure process and ensuring adherence to the CNA guidelines.”
