CVE2024

Cleo Releases Patch for Critical Vulnerabilities Exploited in the Wild

Summary

OEM

Cleo

Severity

Critical

CVSS score

9.8

CVE

CVE-2024-55956, CVE-2024-50623

Exploited in Wild

Yes

Patch/Remediation Available

Yes 

Advisory Version

1.0

Overview

The Clop ransomware group has exploited critical vulnerabilities in Cleo’s Managed File Transfer (MFT) solutions, specifically targeting Cleo Harmony, VLTrader, and LexiCom. These vulnerabilities, identified as CVE-2024-50623 and CVE-2024-55956, allow unauthenticated attackers to execute arbitrary code on affected systems, leading to potential data breaches and system compromises.

Vulnerability Name

CVE ID

Product Affected

Severity

CVSS Score

Fixed Version

Unauthenticated Command Execution

CVE-2024-55956

Cleo products

Critical

9.8

5.8.0.24 or latest

Unrestricted File Upload/Download Vulnerability

CVE-2024-50623

Cleo products

Critical

9.8

5.8.0.24 or latest

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-55956

Cleo Harmony, VLTrader, LexiCom

This flaw enables unauthenticated users to import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory. Attackers can write a ZIP file containing a malicious XML file describing a new host. The malicious XML file contained a Mailbox action associated with the new host, which when run would execute an arbitrary OS command.

Execution of arbitrary commands, resulting in full system compromise.

CVE-2024-50623

Cleo Harmony, VLTrader, LexiCom

This vulnerability permits unauthenticated attackers to upload and download files without restrictions via the ‘/Synchronization’ endpoint. By uploading malicious files, attackers can achieve remote code execution. The exploitation involves writing malicious code to specific files, such as “webserverAjaxSwingconftemplatesdefault-pagebody-footerVL.html”, which is then leveraged to execute an attacker-controlled payload, potentially in the form of a webshell.

Unauthorized file manipulation and potential system compromise.

Remediations

  • Update Cleo Harmony, VLTrader, and LexiCom to the updated version 5.8.0.24 or latest one.

Recommendations

  • It is strongly advised to move any internet-exposed Cleo systems behind a firewall until patches are applied to prevent unauthorized exploitation.
  • Disable autorun files in Cleo software by clearing the “Autorun Directory” field under “Options” to limit the attack surface; this doesn’t resolve the file-write vulnerability.
  • Implement monitoring for signs of the “Cleopatra” backdoor and other malicious activities associated with Clop ransomware.
  • Conduct a thorough audit of your systems to identify any malicious files or abnormal system behavior associated with Cleo software. This includes checking logs, directories, and network traffic for unusual activities related to the known exploit chain.
  • If you have an EDR solution, block the attacker IPs associated with the exploit to prevent further external communication with compromised systems.
  • Ensure regular backups of critical data are performed and stored securely offline to facilitate recovery in case of any ransomware attack.

IOCs

Based on the research
These are the attacker IP addresses embedded in the encoded PowerShell

IP Address IOCs

File IOCs

176.123.5[.]126

60282967-dc91-40ef-a34c-38e992509c2c.xml

5.149.249[.]226

healthchecktemplate.txt

185.181.230[.]103

healthcheck.txt

209.127.12[.]38

181.214.147[.]164

192.119.99[.]42

Critical Flaw in WordPress Hunk Companion Plugin Enables Unauthorized Plugin Installation

Summary

OEM

WordPress

Severity

Critical

Date of Announcement

2024-12-13

CVSS score

9.8

CVE

CVE-2024-11972

Exploited in Wild

Yes

Patch/Remediation Available

Yes 

Advisory Version

1.0

Overview

A Critical flaw in the WordPress Hunk Companion plugin has been actively exploited to enable unauthorized installation and activation of plugins. This vulnerability stems from insufficient authorization checks on a REST API endpoint. Exploited sites may see attackers silently install malicious or outdated plugins, leading to severe security risks, including remote code execution (RCE), unauthorized access, and website compromise.

Vulnerability Name

CVE ID

Product Affected

Severity

CVSS Score

Hunk Companion Plugin Vulnerability

CVE-2024-11972

Hunk Companion Plugin for WordPress

Critical

9.8

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-11972

Hunk Companion plugin versions  prior to 1.8.4

This vulnerability is caused by improper validation mechanisms in the file hunk-companion/import/app/app.php, a script responsible for handling plugin import and installation processes. At its core, the bug permits unauthenticated requests to bypass critical permission checks intended to ensure that only authorized users can install plugins.

This vulnerability potentially leads to remote code execution, unauthorized access, and full website compromise.

Remediations

  • “Hunk Companion” WordPress plugin, should update to version 9.0 or later.

General Recommendations

  • Regularly inspect your WordPress site for unknown plugins or modifications.
  • Reducing the risk of delayed patching can be achieved by enabling automatic updates for all plugins
  • Review server and WordPress logs for unauthorized login attempts to detect possible compromise.
  • Keep all plugins, themes, and WordPress core updated. Use strong, unique passwords and enable two-factor authentication for admin accounts.
Scroll to top