{"uuid": "92cdf9dd-1009-427b-8181-b444dc288f89", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "title": "INCIDENT: Threat Actors Currently Mass-Exploiting Cleo Servers (0-day-ish) \ud83d\udc7e (source reddit)", "description": "- [INCIDENT: Threat Actors Currently Mass-Exploiting Cleo Servers (0-day-ish) \ud83d\udc7e ](https://www.reddit.com/r/sysadmin/comments/1haqguq/incident_threat_actors_currently_massexploiting/?rdt=59586)\n\nhttps://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild\n\nOn December 3, Huntress identified an emerging threat involving Cleo\u2019s LexiCom, VLTransfer, and Harmony software, commonly used to manage file transfers. We\u2019ve directly observed evidence of threat actors exploiting this software en masse and performing post-exploitation activity. Although Cleo published an update and advisory for CVE-2024-50623\u2014which allows unauthenticated remote code execution\u2014Huntress security researchers have recreated the proof of concept and learned the patch does not mitigate the software flaw.\n\n\u200dTL;DR - This vulnerability is being actively exploited in the wild and fully patched systems running 5.8.0.21 are still exploitable. We strongly recommend you move any internet-exposed Cleo systems behind a firewall until a new patch is released.", "description_format": "markdown", "vulnerability": "CVE-2024-50623", "creation_timestamp": "2024-12-10T07:56:04.828065+00:00", "timestamp": "2024-12-10T07:57:07.099373+00:00", "related_vulnerabilities": ["CVE-2024-50623"], "meta": [{"tags": ["vulnerability:exploitability=industrialised"]}], "author": {"login": "adulau", "name": "Alexandre Dulaunoy", "uuid": "c933734a-9be8-4142-889e-26e95c752803"}}