Analytics Story: Cleo File Transfer Software
Description
This analytic story addresses the exploitation of Cleo file transfer software products (LexiCom, VLTrader, and Harmony) through CVE-2024-50623. This vulnerability allows unauthenticated attackers to execute arbitrary system commands through the web interface, potentially leading to remote code execution and system compromise.
Why it matters
In December 2024, threat actors began actively exploiting a critical vulnerability (CVE-2024-50623) in Cleo's file transfer software suite. The vulnerability affects multiple Cleo products including LexiCom, VLTrader, and Harmony. Attackers can exploit this flaw to execute system commands without authentication through the web interface, typically leveraging PowerShell commands for payload delivery and execution. The exploitation often involves accessing the software's autorun functionality and web interface to deploy malicious commands, potentially leading to data theft, ransomware deployment, or establishment of persistent access. Common installation paths include C:\LexiCom, C:\VLTrader, and C:\Harmony, with critical activity logged in their respective XML log files.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| CrowdStrike ProcessRollup2 | N/A | crowdstrike:events:sensor |
crowdstrike |
| Powershell Script Block Logging 4104 |  Windows |
xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-PowerShell/Operational |
| Sysmon EventID 1 | Windows |
xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Windows Event Log Security 4688 | Windows |
xmlwineventlog |
XmlWinEventLog:Security |
References
- https://www.rapid7.com/blog/post/2024/12/10/etr-widespread-exploitation-of-cleo-file-transfer-software-cve-2024-50623/
- https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
Source: GitHub | Version: 1