Vulnerability disclosure: Recently discovered, actively exploited weakness in a popular file-transfer software, now public under the label CVE, made available by Cleo.
Two critical vulnerabilities, CVE-2024-50623 and CVE-2024-55956, have been under active exploitation since December 3, 2024. These vulnerabilities affect various managed file transfer applications, including Cleo Harmony, VLTrader, and LexiCom, which are crucial for business operations and often handle sensitive information.
**CVE-2024-50623: Ransomware Exploitation**
CVE-2024-50623, disclosed in October, has been exploited in ransomware attacks. The vulnerability requires credentials for exploitation and was found to not offer full protection against attacks after a previous vulnerability, CVE-2024-50623, was discovered. This vulnerability, affecting versions 5.8.0.21 of the software, was leveraged for remote code execution via server-side template injection[1].
**CVE-2024-55956: Unauthenticated File Uploads**
CVE-2024-55956, assigned two days after a patch was released for Cleo file-transfer software, allows attackers to perform unauthenticated file uploads. This poses significant risks to affected organizations, as it enables attackers to upload and download files without restrictions, potentially leading to remote code execution and system control[1][2].
Despite patches being released, the Clop ransomware group managed to bypass them, highlighting the ongoing threat[1]. This vulnerability, impacting Cleo Harmony, VLTrader, and LexiCom prior to versions 5.8.0.24, is a net-new zero-day bug, different from a patch bypass[1][3]. It allows an unauthenticated user to import and execute arbitrary bash or PowerShell commands on a host system[2].
**Impact and Reasons for Active Exploitation**
The exploitation of these vulnerabilities can disrupt business operations significantly, as they allow attackers to access and manipulate sensitive data, leading to potential data breaches and system compromise[1][3]. The high-severity nature of CVE-2024-55956 makes it an attractive target for ransomware groups seeking to exploit vulnerabilities in essential business applications[1].
The ability of attackers to bypass patches underscores the need for robust security measures beyond patching, including continuous monitoring and threat intelligence[1]. File transfer applications like Cleo Harmony, VLTrader, and LexiCom are critical for many businesses, making them prime targets for attackers seeking to disrupt operations or steal sensitive data[1][2].
**Community Response and Concerns**
As of Sunday, Shadowserver reported 930 vulnerable instances of CVE-2024-50623, with about 720 instances exposed in the U.S. The security community has criticized the company for the delay in designating the CVE and a lack of clarity in which vulnerability was most at risk[4].
Patrick Garrity, a security researcher at VulnCheck, said that CVE identifiers provide visibility into each unique vulnerability and the affected software[5]. Caitlin Condon, director of vulnerability intelligence at Rapid7, stated that CVE identifiers help organizations track and prioritize risks[5].
In conclusion, the exploitation of CVE-2024-50623 and CVE-2024-55956 highlights the importance of proactive vulnerability management and the implementation of robust security measures to protect against evolving cyber threats. Organizations are urged to apply patches and implement additional security measures to safeguard their critical infrastructure.
[1] https://www.bleepingcomputer.com/news/security/new-zero-day-vulnerability-cve-2024-55956-exploited-in-clop-ransomware-attacks/ [2] https://www.bleepingcomputer.com/news/security/cve-2024-50623-is-being-actively-exploited-in-ransomware-attacks/ [3] https://www.bleepingcomputer.com/news/security/clop-ransomware-group-bypasses-cleos-patches-for-critical-vulnerabilities/ [4] https://www.bleepingcomputer.com/news/security/shadowserver-reports-930-vulnerable-instances-of-cve-2024-50623/ [5] https://www.bleepingcomputer.com/news/security/rapid7-researchers-clarify-cve-2024-55956-is-not-a-patch-bypass/
- The vulnerability CVE-2024-50623, initially discovered in October, is being actively exploited in ransomware attacks and requires credentials for exploitation.
- CVE-2024-55956, a zero-day bug affecting Cleo file-transfer software, allows unauthenticated file uploads, potentially leading to remote code execution and system control.
- The exploitation of these vulnerabilities can significantly disrupt business operations, as they allow attackers to access and manipulate sensitive data, leading to potential data breaches and system compromise.
- The security community has expressed concerns about delays in designating CVE identifiers and a lack of clarity in identifying the most at-risk vulnerabilities, emphasizing the importance of proactive vulnerability management and robust security measures.
