The Download
A critical security vulnerability (CVE-2024-50623) in Cleo Harmony, VLTrader, and LexiCom file transfer software enables unauthenticated attackers to execute remote code on vulnerable servers. Affecting all versions before 5.8.0.21, this vulnerability allows threat actors to exploit internet-exposed servers, potentially deploying a Java-based post-exploitation framework called Malichus. Attackers can leverage this zero-day to import and execute arbitrary PowerShell or bash commands, drop malicious payloads, perform file transfers, and establish network communication, with cybersecurity firms like Huntress and Sophos documenting compromises across dozens of hosts. The vulnerability is being actively exploited in the wild.
What You Can Do
IT administrators must immediately upgrade to Cleo's latest version (5.8.0.24) to mitigate risks. For systems unable to upgrade immediately, administrators should disable the Autorun feature by clearing the Autorun directory in System Options. U.S. federal agencies are mandated to secure their networks against this vulnerability by January 3, following CISA's binding operational directive. Continuous monitoring for indicators of compromise, implementing robust network segmentation, and maintaining up-to-date patch management are crucial to preventing potential ransomware attacks exploiting this vulnerability.
Use ThreatMate to monitor your attack surfaces to find and fix vulnerabilities before the adversary does.
To Learn More: