OSINT - Threat Advisory: Oh No Cleo! Cleo Software Actively Being Exploited in the Wild
Cleo software is affected by a publicly exploitable vulnerability identified as CVE-2024-50623, currently exploited in the wild with moderate certainty. The vulnerability targets public-facing applications, aligning with MITRE ATT&CK technique T1190 (exploit public-facing application). Although the severity is reported as low and no CVSS score is assigned, exploitation is industrialized, indicating automated or widespread attack attempts. No patches are currently available, and affected versions remain unspecified, complicating immediate remediation. The impact could affect confidentiality, integrity, or availability depending on exploitation specifics. European organizations using Cleo software, especially those exposing it to the internet, should increase monitoring, enforce network segmentation, and apply strict access controls. Countries with significant Cleo adoption and critical infrastructure reliance are at higher risk. Given the active exploitation and potential impact, a medium severity rating is suggested to ensure adequate defensive measures without causing undue alarm.
AI Analysis
Technical Summary
The security threat involves a vulnerability in Cleo software, tracked as CVE-2024-50623, which is actively exploited in the wild. This vulnerability affects public-facing applications, making it susceptible to remote exploitation without authentication, consistent with MITRE ATT&CK technique T1190. The exploitation is described as industrialized, suggesting automated attack campaigns targeting vulnerable Cleo instances. Despite the absence of a CVSS score and a reported low severity, the active exploitation and potential impact on confidentiality, integrity, and availability warrant serious attention. No patches or fixes are currently available, and the specific affected versions have not been disclosed, increasing the challenge for defenders. The threat intelligence indicates a 50% certainty level of exploitation, implying moderate confidence in observed attacks. The vulnerability could allow attackers to compromise sensitive data, disrupt services, or alter system functions depending on the exploitation method. European organizations with public-facing Cleo software installations, particularly those in critical infrastructure sectors, are advised to implement enhanced monitoring, network segmentation, and strict access controls to mitigate risk. The lack of patch availability necessitates reliance on defensive controls and detection capabilities until a fix is released. The threat is notable due to the industrialized nature of exploitation and the strategic importance of affected systems in Europe.
Potential Impact
For European organizations, this vulnerability poses risks to confidentiality, integrity, and availability of systems running Cleo software, especially those exposed to the internet. Potential impacts include unauthorized data access or exfiltration, service disruption, and unauthorized modification of data or configurations. Critical infrastructure sectors relying on Cleo software for data integration or file transfer could face operational disruptions, affecting business continuity and service delivery. The absence of patches increases exposure duration, elevating risk levels. Organizations with public-facing Cleo instances are particularly vulnerable to automated exploitation attempts, which could lead to widespread compromise if not mitigated. The threat could also result in reputational damage and regulatory consequences under GDPR if personal or sensitive data is compromised. Given the industrialized exploitation, the attack scale could be significant, impacting multiple organizations across Europe simultaneously.
Mitigation Recommendations
1. Implement enhanced network monitoring and intrusion detection focused on traffic to and from Cleo software instances to identify anomalous or exploit-related activity. 2. Enforce strict network segmentation to isolate Cleo software environments from critical internal networks, limiting lateral movement opportunities. 3. Apply strict access controls and multi-factor authentication for administrative interfaces and management consoles of Cleo software. 4. Restrict public exposure of Cleo software to only necessary endpoints and consider using VPNs or secure gateways to reduce attack surface. 5. Conduct regular vulnerability scanning and penetration testing focused on Cleo deployments to identify potential weaknesses. 6. Prepare incident response plans specific to Cleo exploitation scenarios, including containment and recovery procedures. 7. Engage with Cleo software vendor and security communities for updates on patches or workarounds and apply them promptly once available. 8. Maintain up-to-date backups of critical data and configurations to enable recovery in case of compromise. 9. Educate IT and security teams about the specific threat and signs of exploitation to improve detection and response capabilities.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Belgium, Sweden
Indicators of Compromise
- vulnerability: CVE-2024-50623
- vulnerability: CVE-2024-50623
- text: In Cleo Harmony before 5.8.0.20, VLTrader before 5.8.0.20, and LexiCom before 5.8.0.20, there is a JavaScript Injection vulnerability: unrestricted file upload and download could lead to remote code execution.
- datetime: 2024-10-30T21:35:00+00:00
- datetime: 2024-10-28T00:15:00+00:00
- text: Published
- link: https://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory
- ip: 176.123.5.126
- ip: 5.149.249.226
- ip: 185.181.230.103
- ip: 209.127.12.38
- ip: 181.214.147.164
- ip: 192.119.99.42
- text: all
- sigma: title: Possible Cleo MFT Exploitation 2024 id: f007b877-02e3-45b7-8501-1b78c2864029 status: experimental description: Detects Powershell spawned from Cleo software. Evidence of unknown threat actor exploiting the CLEO tooling using this pattern observed in Dec 2024. author: Tanner Filip, Austin Worline, Chad Hudson, Matt Anderson references: [] date: 2024/12/09 logsource: category: process_creation product: windows detection: selection: ParentImage|endswith: '\javaw.exe' Image|endswith: '\cmd.exe' CommandLine|contains: - 'powershell' - ' -NonInteractive' - ' -noni ' - ' -enc ' - ' -EncodedCommand' ParentCommandLine|contains: - 'VLTrader' - 'lexicom' - 'Harmony' - 'VersaLex' condition: selection falsepositives: - Unknown level: high
- sigma: title: Javaw Spawning Suspicious Powershell Commands id: a0ec945f-2328-40e9-96f6-27dadf72861b status: experimental description: Detects Javaw spawning suspicious powershell commands. This has been observed as possible post-exploitation activity of Cleo software. author: Chad Hudson, Matt Anderson references: [] date: 2024/12/09 logsource: category: process_creation product: windows detection: selection: ParentImage|endswith: - '\javaw.exe' Image|endswith: - '\cmd.exe' cmdline: CommandLine|contains: - ' -nop' - ' -noni' - ' -NonInteractive' - ' -w hidden ' - ' -windowstyle hidden*' - '(New-Object Net.WebClient).Download*' - ' -enc ' - ' -EncodedCommand ' powershell: CommandLine|contains: powershell condition: selection and cmdline and powershell falsepositives: - Unknown Detects Javaw spawning suspicious powershell commands. This has been observed as possible post-exploitation activity of Cleo software.
OSINT - Threat Advisory: Oh No Cleo! Cleo Software Actively Being Exploited in the Wild
Description
Cleo software is affected by a publicly exploitable vulnerability identified as CVE-2024-50623, currently exploited in the wild with moderate certainty. The vulnerability targets public-facing applications, aligning with MITRE ATT&CK technique T1190 (exploit public-facing application). Although the severity is reported as low and no CVSS score is assigned, exploitation is industrialized, indicating automated or widespread attack attempts. No patches are currently available, and affected versions remain unspecified, complicating immediate remediation. The impact could affect confidentiality, integrity, or availability depending on exploitation specifics. European organizations using Cleo software, especially those exposing it to the internet, should increase monitoring, enforce network segmentation, and apply strict access controls. Countries with significant Cleo adoption and critical infrastructure reliance are at higher risk. Given the active exploitation and potential impact, a medium severity rating is suggested to ensure adequate defensive measures without causing undue alarm.
AI-Powered Analysis
Technical Analysis
The security threat involves a vulnerability in Cleo software, tracked as CVE-2024-50623, which is actively exploited in the wild. This vulnerability affects public-facing applications, making it susceptible to remote exploitation without authentication, consistent with MITRE ATT&CK technique T1190. The exploitation is described as industrialized, suggesting automated attack campaigns targeting vulnerable Cleo instances. Despite the absence of a CVSS score and a reported low severity, the active exploitation and potential impact on confidentiality, integrity, and availability warrant serious attention. No patches or fixes are currently available, and the specific affected versions have not been disclosed, increasing the challenge for defenders. The threat intelligence indicates a 50% certainty level of exploitation, implying moderate confidence in observed attacks. The vulnerability could allow attackers to compromise sensitive data, disrupt services, or alter system functions depending on the exploitation method. European organizations with public-facing Cleo software installations, particularly those in critical infrastructure sectors, are advised to implement enhanced monitoring, network segmentation, and strict access controls to mitigate risk. The lack of patch availability necessitates reliance on defensive controls and detection capabilities until a fix is released. The threat is notable due to the industrialized nature of exploitation and the strategic importance of affected systems in Europe.
Potential Impact
For European organizations, this vulnerability poses risks to confidentiality, integrity, and availability of systems running Cleo software, especially those exposed to the internet. Potential impacts include unauthorized data access or exfiltration, service disruption, and unauthorized modification of data or configurations. Critical infrastructure sectors relying on Cleo software for data integration or file transfer could face operational disruptions, affecting business continuity and service delivery. The absence of patches increases exposure duration, elevating risk levels. Organizations with public-facing Cleo instances are particularly vulnerable to automated exploitation attempts, which could lead to widespread compromise if not mitigated. The threat could also result in reputational damage and regulatory consequences under GDPR if personal or sensitive data is compromised. Given the industrialized exploitation, the attack scale could be significant, impacting multiple organizations across Europe simultaneously.
Mitigation Recommendations
1. Implement enhanced network monitoring and intrusion detection focused on traffic to and from Cleo software instances to identify anomalous or exploit-related activity. 2. Enforce strict network segmentation to isolate Cleo software environments from critical internal networks, limiting lateral movement opportunities. 3. Apply strict access controls and multi-factor authentication for administrative interfaces and management consoles of Cleo software. 4. Restrict public exposure of Cleo software to only necessary endpoints and consider using VPNs or secure gateways to reduce attack surface. 5. Conduct regular vulnerability scanning and penetration testing focused on Cleo deployments to identify potential weaknesses. 6. Prepare incident response plans specific to Cleo exploitation scenarios, including containment and recovery procedures. 7. Engage with Cleo software vendor and security communities for updates on patches or workarounds and apply them promptly once available. 8. Maintain up-to-date backups of critical data and configurations to enable recovery in case of compromise. 9. Educate IT and security teams about the specific threat and signs of exploitation to improve detection and response capabilities.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 3
- Analysis
- 2
- Uuid
- 5ac29be4-309c-436f-84ff-49dd4f98e940
- Original Timestamp
- 1733842681
Indicators of Compromise
Vulnerability
| Value | Description | Copy |
|---|---|---|
vulnerabilityCVE-2024-50623 | — | |
vulnerabilityCVE-2024-50623 | — |
Text
| Value | Description | Copy |
|---|---|---|
textIn Cleo Harmony before 5.8.0.20, VLTrader before 5.8.0.20, and LexiCom before 5.8.0.20, there is a JavaScript Injection vulnerability: unrestricted file upload and download could lead to remote code execution. | — | |
textPublished | — | |
textall | — |
Datetime
| Value | Description | Copy |
|---|---|---|
datetime2024-10-30T21:35:00+00:00 | — | |
datetime2024-10-28T00:15:00+00:00 | — |
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip176.123.5.126 | — | |
ip5.149.249.226 | — | |
ip185.181.230.103 | — | |
ip209.127.12.38 | — | |
ip181.214.147.164 | — | |
ip192.119.99.42 | — |
Sigma
| Value | Description | Copy |
|---|---|---|
sigmatitle: Possible Cleo MFT Exploitation 2024
id: f007b877-02e3-45b7-8501-1b78c2864029
status: experimental
description: Detects Powershell spawned from Cleo software. Evidence of unknown threat actor exploiting the CLEO tooling using this pattern observed in Dec 2024.
author: Tanner Filip, Austin Worline, Chad Hudson, Matt Anderson
references: []
date: 2024/12/09
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\javaw.exe'
Image|endswith: '\cmd.exe'
CommandLine|contains:
- 'powershell'
- ' -NonInteractive'
- ' -noni '
- ' -enc '
- ' -EncodedCommand'
ParentCommandLine|contains:
- 'VLTrader'
- 'lexicom'
- 'Harmony'
- 'VersaLex'
condition: selection
falsepositives:
- Unknown
level: high | — | |
sigmatitle: Javaw Spawning Suspicious Powershell Commands
id: a0ec945f-2328-40e9-96f6-27dadf72861b
status: experimental
description: Detects Javaw spawning suspicious powershell commands. This has been observed as possible post-exploitation activity of Cleo software.
author: Chad Hudson, Matt Anderson
references: []
date: 2024/12/09
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\javaw.exe'
Image|endswith:
- '\cmd.exe'
cmdline:
CommandLine|contains:
- ' -nop'
- ' -noni'
- ' -NonInteractive'
- ' -w hidden '
- ' -windowstyle hidden*'
- '(New-Object Net.WebClient).Download*'
- ' -enc '
- ' -EncodedCommand '
powershell:
CommandLine|contains: powershell
condition: selection and cmdline and powershell
falsepositives:
- Unknown
Detects Javaw spawning suspicious powershell commands. This has been observed as possible post-exploitation activity of Cleo software. | — |
Threat ID: 682c7dbfe8347ec82d2cf3d6
Added to database: 5/20/2025, 1:03:59 PM
Last enriched: 10/28/2025, 7:22:42 PM
Last updated: 11/29/2025, 4:25:24 PM
Views: 67
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-6666: Use of Hard-coded Cryptographic Key in motogadget mo.lock Ignition Lock
LowSha1-Hulud - November 2025
MediumSalesforce Gainsight Security Advisory - Nov 2025
MediumThreatFox IOCs for 2025-11-28
MediumMS Teams Guest Access Can Remove Defender Protection When Users Join External Tenants
LowActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.