Exploitation of vulnerabilities in Cleo Harmony, VLTrader, and LexiCom

ISGroup Cybersecurity

An active attack is targeting Cleo Harmony®, VLTrader®, and LexiCom® software. These widely used file transfer management solutions are vulnerable to CVE-2024-50623, a flaw that allows for unauthenticated remote code execution (RCE). Although Cleo released a patch for version 5.8.0.21, researchers have confirmed that it is ineffective, leaving systems still exposed.

ProductCleo Products
Date2024-12-12 15:58:23
Information
  • Trending
  • Active Exploitation

Technical Summary

The vulnerability lies in the improper handling of files in the autorun directory, which are automatically processed and executed. Traces found in log files show that attackers exploit specially crafted files to initiate unauthorized imports and execute PowerShell commands. These activities lead to arbitrary code execution, allowing cybercriminals to compromise systems and expand their reach. Affected installations are generally located in the root file system (C:\LexiCom, C:\VLTrader, or C:\Harmony) or in standard directories such as C:\Program Files (x86).

The following software versions are vulnerable:

  • Cleo Harmony (5.8.0.21 and earlier)
  • Cleo VLTrader (5.8.0.21 and earlier)
  • Cleo LexiCom (5.8.0.21 and earlier)

Recommendations

  • Limit network exposure: Immediately place Cleo systems exposed to the Internet behind a firewall to prevent external access.

  • Monitor Indicators of Compromise (IoCs): Check installation directories for unusual files in the autorun folder and verify logs for unauthorized activity. Pay particular attention to files such as healthchecktemplate.txt or main.xml, which may indicate exploitation attempts.

  • Wait for and apply updated patches: Follow official communications from Cleo and promptly apply any future updates that address the root cause of the vulnerability.

[Callforaction-THREAT-Footer]