Concern escalates within the security community due to the postponement of the Cleo file-transfer vulnerability fix
In the rapidly evolving world of cybersecurity, a second critical vulnerability has been identified in Cleo file-transfer software, designated as CVE-2024-55956. Despite confirmed exploitation and urgent warnings from security researchers, this vulnerability has yet to receive a CVE designation, causing concern among industry professionals.
Since last week, various security providers, including Huntress, Sophos, Rapid7, and others, have reported active exploitation of organizations in sectors such as retail, trucking, shipping, and food. Researchers at Rapid7 have confirmed a small number of successful compromises of the Cleo vulnerability, while Huntress has identified a malware called Malichus being deployed once threat actors gain access to Cleo systems.
The lack of an official CVE designation for CVE-2024-55956 is not unusual, as it requires submission, verification, and consensus by the CVE Numbering Authority (CNA). Delays can be attributed to incomplete vulnerability details, ongoing investigations, vendor communication issues, or prioritization challenges within the CVE assignment system. The absence of an official CVE does not diminish the criticality of the flaw but rather reflects procedural or administrative lag in vulnerability cataloging.
In a Zoom call on Monday, Huntress shared details of the exploitation of the second vulnerability with Cleo officials. The vulnerability allows unauthenticated attackers to import and execute arbitrary bash or PowerShell commands, bypassing the October patch that was issued to address the first vulnerability, CVE-2024-50623.
Security researchers and reports have stressed the urgency of patching and robust mitigation measures, emphasizing that the ongoing exploitation risk outweighs the need for formal CVE categorization. Patrick Garrity, a security researcher at VulnCheck, states that delays like this are often the result of coordination issues, while John Hammond, principal security researcher at Huntress, confirmed that Cleo was already in the process of getting a CVE assigned by the time they spoke at the start of the week.
The first sign of exploitation activity related to the second vulnerability was observed on Dec. 3, according to Huntress. Rapid7 questions why the new CVE is still pending, as CVE identifiers are essential for tracking and prioritizing risk. The company has urged organizations using Cleo software to take immediate action to protect their systems.
In light of these developments, it is crucial for organizations to stay vigilant and implement robust security measures to mitigate ransomware risks associated with the unassigned CVE-2024-55956. While the formal CVE designation is pending, the severity and confirmed exploitation of the vulnerability necessitate immediate action to ensure the security of their digital assets.
- The malware named Malichus, deployed by threat actors on compromised Cleo systems, is a concern due to the ongoing exploitation of the vulnerability CVE-2024-55956, despite the lack of an official CVE designation.
- Despite delays in the CVE designation process, security researchers and reports urge organizations to implement immediate patching and strong mitigation measures for Cleo software, as the exploitation risk outweighs the need for formal CVE categorization.
- In the realm of data-and-cloud-computing and technology, organizations must stay vigilant and prioritize cybersecurity measures, especially in relation to the unassigned vulnerability CVE-2024-55956, to mitigate ransomware risks and ensure the privacy of their digital assets.