CVE-2024-50623 Detection: Attackers Actively Exploit a RCE Vulnerability in Cleo Harmony, VLTrader, and LexiCom File Transfer Products

High-profile attacks often stem from the exploitation of RCE vulnerabilities in commonly used software products. In late October 2024, security researchers uncovered a critical vulnerability in the FortiManager API (CVE-2024-47575) actively exploited in zero-day attacks. With the holiday season on the horizon, adversaries ramp up their activities as a new security flaw surfaces in the cyber threat landscape. Defenders have recently identified active exploitation of an RCE vulnerability in Cleo LexiCom, VLTransfer, and Harmony MFT software, key applications widely used by numerous large-scale enterprises for secure file sharing.

Detect CVE-2024-50623 Exploitation Attempts

Proactive Detection of Vulnerability Exploitation remains one of the top cybersecurity use cases due to the consistent increase in the number of vulnerabilities identified. In 2024, security experts revealed and published almost 40K vulnerabilities, marking a 41% increase compared to the previous year. To stay on top of emerging threats and detect potential attacks on time, SOC Prime Platform offers a huge collection of CTI-enriched detection rules backed by advanced solutions for threat detection and hunting. 

Press the Explore Detections button below to access Sigma rules addressing CVE-2024-50623 exploitation attempts. All the rules are mapped to the MITRE ATT&CK framework, enriched with extensive threat intel, and compatible with 30+ SIEM, EDR, and Data Lake solutions.

Explore Detections

CVE-2024-50623 Analysis

Huntress has recently issued a warning about an improperly patched vulnerability, CVE-2024-50623, in several Cleo software solutions. The watchTowr Labs researchers provided further in-depth analysis into the CVE-2024-50623 exploitation attempts and how the Arbitrary File Write vulnerability is being exploited to achieve RCE through the autoruns functionality.

Researchers identified at least ten businesses with compromised Cleo servers, observing a significant spike in exploitation activity on December 8, 2024. Further analysis revealed evidence of exploitation dating back to December 3, and it’s likely there are additional vulnerable Cleo servers yet to be uncovered. Most compromised customers belong to the consumer products, food, trucking, and shipping industries. A Shodan search displays that 100+ Cleo product instances running a vulnerable version are exposed to the internet.

Cleo notified customers in late October about addressing CVE-2024-50623 that could enable RCE and affected Cleo Harmony, VLTrader, and LexiCom file transfer products. The vendor has published a security advisory for CVE-2024-50623 , in which vulnerable product versions up to 5.8.0.21 were mentioned. However, Huntress researchers have identified that the patch provided in version 5.8.0.21 was insufficient, leaving the vulnerability unaddressed. They also confirmed that threat actors have actively exploited CVE-2024-50623 in real-world attacks.

Defenders have noticed the attackers maintaining persistence on the compromised systems, performing reconnaissance, and taking steps to remain under the radar, along with other unidentified post-exploitation activities.

Therefore, the 5.8.0.21 patched versions are still vulnerable to the exploit observed in the wild. The vendor confirmed they are working on a new patch to address the issue shortly. As potential CVE-2024-50623 mitigation measures and steps to reduce the attack surface, defenders recommend reconfiguring Cleo software to disable the autoruns functionality that could lead to RCE. However, this mitigation strategy could be a temporary solution since it won’t stop the arbitrary file-write vulnerability until an updated patch is released.

To outscale real-world attacks and proactively identify vulnerability exploitation attempts, SOC Prime curates a complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection, which can help global organizations always have enterprise-ready and future-proof security solutions at their disposal.