Critical vulnerabilities in Cleo file transfer products, including VLTrader, Harmony, and LexiCom, are being actively exploited. Initially stemming from an insufficient patch for CVE-2024-50623, a new critical vulnerability (CVE-2024-55956) allows unauthenticated users to execute arbitrary commands. Exploitation has been confirmed in customer environments, with attackers dropping modular Java backdoors and conducting post-exploitation activities. Affected versions include those prior to 5.8.0.24. Immediate patching and removal from public internet access are recommended. Indicators of compromise and post-exploitation behavior have been observed, including enumeration commands, PowerShell usage, and attempts to clear Windows event logs. Author: AlienVault
Related Tags:
Cleo
T1482
T1071
T1069
T1033
T1550
T1105
T1082
T1562
Associated Indicators:
185.162.128.133
185.181.230.103
89.248.172.139
176.123.10.115
45.182.189.102