Security researchers are warning that hackers are actively exploiting another high-risk vulnerability in a popular file transfer technology to launch mass hacks.
The vulnerability, tracked as CVE-2024-50623, affects software developed by Illinois-based enterprise software company Cleo, according to researchers at cybersecurity company Huntress.
The flaw was first disclosed by Cleo in a security advisory on October 30 which warned that exploitation could lead to remote code execution. It affects Cleo’s LexiCom, VLTransfer, and Harmony tools, which are commonly used by enterprises to manage file transfers.
Cleo released a patch for the vulnerability in October, but in a blog on Monday Huntress warned that the patch does not mitigate the software flaw.
Huntress security researcher John Hammond said the company has observed threat actors “exploiting this software en masse” since December 3. He added that Huntress — which protects more than 1,700 Cleo LexiCom, VLTransfer, and Harmony servers — has discovered at least 10 businesses whose servers were compromised.
“Victim organizations so far have included various consumer product companies, logistics and shipping organizations, and food suppliers,” wrote Hammond, adding that many other customers are at risk of being hacked.
Shodan, a search engine for publicly available devices and databases, lists hundreds of vulnerable Cleo servers, the majority of which are located in the U.S.
Cleo has more than 4,200 customers, including U.S. biotechnology company Illumina, sports footwear giant New Balance, and Dutch logistics firm Portable.
Huntress has not yet identified the threat actor behind these attacks and it’s not known whether any data has been stolen from impacted Cleo customers. However, Hammond noted that the company has observed hackers performing “post-exploitation activity” after compromising vulnerable systems.
Cleo did not respond to TechCrunch’s questions and has not yet released a patch that protects against the flaw. Huntress recommends that Cleo customers move any internet-exposed systems behind a firewall until a new patch is released.
Enterprise file transfer tools are a popular target among hackers and extortion groups. Last year, the Russia-linked Clop ransomware gang claimed thousands of victims by exploiting a zero-day vulnerability in Progress Software’s MOVEit Transfer product. The same gang had previously taken credit for the mass exploitation of a vulnerability in Fortra’s GoAnywhere managed file transfer software, which was used to target more than 130 organizations.
