Cleo, a leading provider of file-transfer software, has issued an urgent security warning urging users to patch an actively exploited vulnerability affecting its Harmony, VLTrader, and LexiCom products. This vulnerability, which allows unauthenticated users to execute arbitrary commands on the host system, has been observed in widespread exploitation across the industry. The flaw exists due to default settings in the Autorun directory, which could be leveraged by attackers to run malicious scripts such as Bash or PowerShell commands. A patch was initially issued in October 2024, but further analysis revealed that the initial fix was insufficient, leading Cleo to release an updated patch this week.

Researchers from Huntress, Rapid7, Arctic Wolf, and Sophos have documented numerous cases of active exploitation targeting the Cleo Managed File Transfer (MFT) products. According to Huntress, "We’ve directly observed evidence of threat actors exploiting this software en masse and performing post-exploitation activity." A Java-based backdoor known as "Cleopatra" is also being deployed in these attacks, facilitating unauthorized access to compromised systems and supporting large-scale exploitation campaigns.

In addition to this, a new wave of malware targeting Industrial Control Systems (ICS) has been linked to an Iranian-backed cyber threat actor. This sophisticated malware is being used to compromise critical infrastructure and ICS systems, signaling an escalation in cyberattacks aimed at industrial sectors. The rise of these highly targeted attacks underscores the need for enhanced cybersecurity measures to protect vital industrial operations from evolving threats.

The vulnerability in Cleo software and the new malware campaigns highlight the growing risk to both enterprise IT and operational technology environments. Organizations are urged to ensure that all software is patched and up-to-date and to closely monitor their networks for any signs of unusual activity.

For more details on the Cleo product security update and how to implement the latest patches, users are encouraged to visit Cleo’s official security advisory here.

For insights from Huntress on the active exploitation of Cleo software, check out their detailed threat advisory.

Further information from Rapid7 regarding widespread exploitation of Cleo file transfer software is available in their blog post.

To learn more about the Cleopatra backdoor and its role in this mass exploitation campaign, Arctic Wolf’s blog provides valuable insights.

Lastly, for updates from SophosXOps on the status of the vulnerability, visit their X post.

The link has been copied!