Source: Managed Cybersecurity Platform for SMBs and IT Providers Author: Team Huntress URL: https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild?utm_source=linkedin&utm_medium=social

ONE SENTENCE SUMMARY:

Cleo’s software vulnerability CVE-2024-55956 is being exploited, necessitating urgent protective measures until a comprehensive patch is released.

MAIN POINTS:

1. Cleo’s LexiCom, VLTransfer, and Harmony software have a critical exploit being actively attacked.
2. The vulnerability allows unauthenticated remote code execution, posing severe security risks.
3. Even fully patched systems (version 5.8.0.21) remain exploitable, requiring immediate caution.
4. Threat actors create malicious files in installation directories to facilitate post-exploitation activities.
5. Specific IP addresses linked to attackers have been identified, requiring monitoring and blocking.
6. Cleo plans to release a new patch to address the vulnerability soon.
7. Disabling autorun features can mitigate some risks but won’t prevent the underlying vulnerability.
8. Companies in consumer, food, trucking, and shipping industries are particularly affected.
9. Huntress has developed detection measures and is actively neutralizing the threat.
10. Users should check for indicators of compromise in installation directories to assess risks.

TAKEAWAYS:

1. Urgently move exposed Cleo systems behind a firewall to limit exposure.
2. Disabling autorun features can reduce risks until a permanent patch is available.
3. Monitor logs and directories for indicators of compromise to identify attacks.
4. Collaboration with Cleo is ongoing to develop an effective patch against the exploit.
5. Stay updated on Huntress’s blog for the latest information and protective measures.