top of page
Writer's pictureLoïc Castel

Cleo MFT Software RCE - CVE-2024-50623

Version History

2024-12-17 (1.0): Initial version

2024-12-18 (1.1): Updated article to document a new exploitation method


Vulnerability in Cleo software solution

Cleo MFT (Cleo Harmony, VLTrader, and LexiCom) is a widely used software solution for data integration and secure file exchange between enterprise systems. It is particularly popular in industries such as logistics, finance, and healthcare, where reliable and secure data transfers are critical. Cleo offers a platform to connect systems and applications via protocols like FTP, SFTP, and AS2, making its proper functioning vital for many organizations.


A critical vulnerability, referenced as CVE-2024-50623, was recently identified in Cleo software, actively exploited by attackers. This flaw specifically affects versions of Cleo used for file transfers, where poor security management in HTTP request handling exposes systems to Remote Code Execution (RCE) attacks. The vulnerability, cataloged with a CVSS score of 9.8, allows attackers to execute malicious code remotely, thereby compromising affected systems.

 

⚠️ It is important to mention that this vulnerability was discovered following its exploitation by malicious actors, which makes it even more urgent to address as it indicates that criminals have had access to exploitation code for some time.

 

Recently, a new method of compromising Cleo software has been identified. Attackers deploy a modular Java remote access tool (RAT), enabling multi-stage control of infected systems.

Attack Stages:

1. Initial Injection: Attackers exploit vulnerabilities in Cleo to inject an encoded JAR file.

2. RAT Activation: Once executed, the modular RAT installs itself, providing attackers with extensive capabilities, including system reconnaissance, file exfiltration, command execution, and encrypted communication with a command-and-control (C2) server.


The modular structure of this malware allows it to adapt its functionalities based on the attackers’ objectives, making its detection and neutralization significantly more challenging.


Link to the article: https://www.rapid7.com/blog/post/2024/12/11/etr-modular-java-backdoor-dropped-in-cleo-exploitation-campaign


Vulnerable Versions


Affected Products:

Versions of Cleo Harmony, VLTrader, and LexiCom up to and including version 5.8.0.21 are vulnerable.


It is important to note that no effective patch exists at the time of writing, making it essential to restrict internet access to Cleo solutions until a patch is available.


At-Risk Scenarios

1. Organizations that have exposed their Cleo web interfaces to the internet without strict filtering.

2. Outdated versions of the software that have not been updated.

3. Standard, non-hardened configurations, such as default credentials or the lack of active logging.


How to Exploit the Vulnerability?


Exploitation Scenarios and Resources


Security researchers have demonstrated that this vulnerability can be exploited via malicious HTTP requests. Below is a summary of the exploitation process:

1. Step 1: The attacker identifies an exposed Cleo instance on the internet using scanning tools like Shodan.

2. Step 2: A specially crafted HTTP request is sent to exploit a flaw in Cleo’s input handling mechanism.

3. Step 3: If the exploit is successful, the attacker can execute system commands with the application’s privileges, potentially gaining full access to the system or network.


Proof of Concept (PoC)


A PoC has been published by watchTowr Labs and is accessible here:

An in-depth explanation of this vulnerability has been published by watchTowr Labs: https://labs.watchtowr.com/cleo-cve-2024-50623/.


Arbitrary File Read and Write


The vulnerability allows for arbitrary file reading on the Windows system hosting the affected Cleo solutions. By modifying the VLSync header, attackers can escalate this vulnerability to perform arbitrary file writing. This is achieved by writing the content of the HTTP request body to any location on the disk. Below is an example request:

POST /Synchronization HTTP/1.1
Host: 192.168.X.X:5080
VLSync: ADD;l=Ab1234-RQ0258;n=VLTrader;v=5.7.0.0;a=192.168.X.X;po=5080;s=True;b=False;pp=myEncryptedPassphrase;path=..\\..\\..\\poc.txt
Content-Type: multipart/form-data; boundary=-----1337
Content-Length: 10

Poc test

In this example, the file poc.txt is written to a chosen location on the server with the content “Poc test”.

Malware Deployment via Autorun Directory


The security company Huntress has observed malicious actors abusing this vulnerability to deploy malware. They achieve this by writing the payload into Cleo’s autorun directory, enabling automatic execution of their malicious code.


Mitigation Option


While disabling Cleo’s autorun mechanism can prevent the execution of malicious payloads, it does not fix the root cause of the vulnerability, which includes arbitrary file read and write capabilities.


Immediate action is required to restrict access to vulnerable systems and monitor for signs of compromise.

Menu allowing the autorun mechanism change

How to Detect the Vulnerability (Black Box Testing)

1. Identify Exposed Systems:

  • Use tools like Shodan or Nmap to scan for open ports associated with Cleo services (commonly related to file transfer operations, such as ports 5080 or 443).

  • Look for responses indicating a Cleo service.


2. Check Installed Versions:

  • Confirm that the Cleo software version is not among those affected (≤ 5.8.0.21).

  • Cross-check with Cleo’s latest bulletins or patch notes for the vulnerability.


3. Run Vulnerability Scanners:

  • Use tools like Nessus, OpenVAS, or Qualys to scan for known vulnerabilities linked to Cleo (e.g., CVE-2024-50623).

  • Look for plugins or signatures specific to Cleo systems.


Is the Vulnerability Actively Exploited?


Yes.

According to available information, this vulnerability is actively exploited in the wild. Attackers target Cleo systems that are:

• Outdated.

• Exposed to the internet without strict access controls.

• Misconfigured (e.g., using default credentials or without proper logging).


Researchers from Huntress have observed several cases where compromised Cleo instances were used to deploy malware or access sensitive data.


Indicators of Active Exploitation

1. Suspicious Network Activity:

• Unusual or unauthorized file transfers from Cleo platforms.

• Anomalous traffic patterns, such as large outbound data spikes or connections to unknown IPs.

2. Unrecognized Commands in Logs:

• Remote execution of unexpected commands or requests in Cleo’s logs.

3. System Anomalies:

• Addition of unknown users.

• Configuration changes without authorization.

• Modifications to critical files (e.g., unauthorized creation of files in the autorun directory).


How to Detect Exploitation Using Known Indicators


To proactively search for signs of compromise (threat hunting), add the following Indicators of Compromise (IoCs) to your detection tools:

File Path Anomalies

• Look for unexpected files in directories like autorun.

• Example: Newly created .jar or .exe files.

Network IoCs

  • Monitor for traffic to known Command & Control (C2) IPs (as per Cleo threat reports).

  • Example: Suspicious outbound requests from Cleo systems.

Log Patterns

  • Unusual POST requests to /Synchronization with modified headers like VLSync.

  • Example from exploit:


POST /Synchronization HTTP/1.1
VLSync: ADD;...

Processes or Services

  • Identify running processes or services that should not be active on Cleo systems.

  • Look for abnormal execution of Java-based payloads.


Recommendations

  • Filter Internet Access:

    • Immediately restrict Cleo system access to trusted IPs only.

  • Enable Logging:

    • Ensure all Cleo logs are actively monitored for anomalies.

  • Patch Management:

    • Apply updates as soon as a patch becomes available.

  • Proactive Scans:

    • Use IoCs and behavioral analytics to detect compromise early.


IoCs

IP Adresses

  • 176.123.5[.]126 - AS 200019 (AlexHost SRL) - Moldova

  • 5.149.249[.]226 - AS 59711 (HZ Hosting Ltd) - Netherlands

  • 185.181.230[.]103 - AS 60602 (Inovare-Prim SRL) - Moldova

  • 209.127.12[.]38 - AS 55286 (SERVER-MANIA / B2 Net Solutions Inc) - Canada

  • 181.214.147[.]164 - AS 15440 (UAB Baltnetos komunikacijos) - Lithuania‍

  • 192.119.99[.]42 - AS 54290 (HOSTWINDS LLC) - United States

Malicious Files

  • 60282967-dc91-40ef-a34c-38e992509c2c.xml 

  • healthchecktemplate.txt or healthcheck.txt 


Suspect processes

  • Execution of javaw.exe (Java process) with cmd.exe as a child process, containing arguments with powershell, and having the following processes as parents. :

    • VLTrader

    • lexicom

    • Harmony

    • VersaLex


Recommendations


Companies using Cleo must immediately inspect their systems for signs of exploitation, such as suspicious HTTP requests or abnormal activities. If your system is compromised, it is critical to:

• Isolate the affected server.

• Inform your incident response team.

• Disable Cleo’s autorun mechanism.

• Apply the patch as soon as it becomes available.


This ongoing exploitation highlights the urgency of implementing countermeasures quickly to protect your critical infrastructure and data.


Conclusion


This Cleo vulnerability is a reminder of the importance of best security practices, such as access management, regular updates, and security audits. Organizations using Cleo must act swiftly to patch their systems and reduce exposure to attacks. If your company uses Cleo, now is the time to mobilize your teams to protect your data and infrastructure.


To quickly detect potential vulnerabilities and prevent exploitation, Saferscan vulnerability scans enable you to identify at-risk systems in just minutes. These scans cover major known vulnerabilities, including those related to Cleo.


In case of a compromise or incident, Safercy’s incident response teams can intervene rapidly to analyze the attack, contain the threat, and restore your systems. Protect your data and minimize downtime by relying on cybersecurity experts.


For more information about these services or to request an audit, contact Safercy today.


Sources

6 views0 comments

Comments


bottom of page