VULNERA Pulse

Cleo — Multiple Products

CVE-2024-50623 / Added: Dec. 13, 2024

HIGH CVSS 8.80 EPSS Score 0.05 EPSS Percentile 23.41

Cleo Harmony, VLTrader, and LexiCom, which are managed file transfer products, contain an unrestricted file upload and download vulnerability that can lead to remote code execution with elevated privileges.

Headlines

• Dec. 13, 2024 - Cleo MFT Zero-Day Exploits Are About Escalate
• Dec. 13, 2024 - CISA confirms critical Cleo bug exploitation in ransomware attacks
• Dec. 13, 2024 - Modular Java Backdoor Emerges in Cleo Exploitation Campaign (CVE-2024-50623)
• Dec. 12, 2024 - Cleo patches critical zero-day exploited in data theft attacks
• Dec. 12, 2024 - Cleo patches zero-day exploited by ransomware gang
• Dec. 12, 2024 - PoC Exploit Code Releases Cleo Zero-Day Vulnerability (CVE-2024-50623)
• Dec. 11, 2024 - Zero Day in Cleo File Transfer Software Exploited En Masse
• Dec. 10, 2024 - 'Termite' Ransomware Likely Behind Cleo Zero-Day Attacks
• Dec. 10, 2024 - Cleo File Transfer Vulnerability Under Exploitation – Patch Pending, Mitigation Urged
• Dec. 10, 2024 - New Cleo zero-day RCE flaw exploited in data theft attacks
• Dec. 10, 2024 - Fully patched Cleo products under '0-day-ish' mass attack
• Dec. 10, 2024 - Attackers actively exploiting flaw(s) in Cleo file transfer software (CVE-2024-50623)
• Dec. 10, 2024 - CVE-2024-50623: Critical Vulnerability in Cleo Software Actively Exploited in the Wild
• Dec. 9, 2024 - Cleo Software Actively Being Exploited in the Wild | Huntress

Back to top ↑

Microsoft — Windows

CVE-2024-49138 / Added: Dec. 10, 2024

HIGH CVSS 7.80 EPSS Score 1.18 EPSS Percentile 85.69

Microsoft Windows Common Log File System (CLFS) driver contains a heap-based buffer overflow vulnerability that allows a local attacker to escalate privileges.

Headlines

• Dec. 11, 2024 - Microsoft Fixes 71 CVEs Including Actively Exploited Zero-Day
• Dec. 11, 2024 - December Patch Tuesday arrives bearing 71 gifts
• Dec. 11, 2024 - Microsoft Fixes 72 Flaws, Including Patch for Actively Exploited CLFS Vulnerability
• Dec. 11, 2024 - Patch Tuesday, December 2024 Edition –
• Dec. 11, 2024 - Microsoft Addresses Critical Zero-Day CVE-2024-49138 & 72 Additional Flaws in December Patch Tuesday
• Dec. 11, 2024 - U.S. CISA adds Microsoft Windows CLFS driver flaw to its Known Exploited Vulnerabilities catalog
• Dec. 10, 2024 - Microsoft December 2024 Patch Tuesday addressed actively exploited zero-day
• Dec. 10, 2024 - Microsoft Fixes Zero-Day, Critical RCEs in Patch Tuesday
• Dec. 10, 2024 - Microsoft fixes exploited zero-day (CVE-2024-49138)
• Dec. 10, 2024 - Microsoft Patch Tuesday for December 2024 contains four critical vulnerabilities
• Dec. 10, 2024 - Microsoft closes 2024 with 72 fixes on final Patch Tuesday
• Dec. 10, 2024 - Microsoft December 2024 Patch Tuesday fixes 1 exploited zero-day, 71 flaws

Back to top ↑

CVE-2024-11639

CRITICAL CVSS 10.00 EPSS Score 0.04 EPSS Percentile 10.84

Risk Context N/A

Published: Dec. 10, 2024

An authentication bypass in the admin web console of Ivanti CSA before 5.0.3 allows a remote unauthenticated attacker to gain administrative access

Quotes

• An authentication bypass in the admin web console of Ivanti CSA before 5.0.3 allows a remote unauthenticated attacker to gain administrative access
• We are not aware of any customers being exploited by these vulnerabilities prior to public disclosure. These vulnerabilities were disclosed through our responsible disclosure program

Headlines

• Dec. 11, 2024 - Ivanti fixed a maximum severity vulnerability in its CSA solution
• Dec. 11, 2024 - Three more vulns in Ivanti CSA, all critical, one 10/10
• Dec. 11, 2024 - CVE-2024-11639 (CVSS 10) - Critical Flaw in Ivanti Cloud Services Application: Immediate Patch Recommended
• Dec. 10, 2024 - Ivanti warns of maximum severity CSA auth bypass vulnerability

CVE-2024-49112

CRITICAL CVSS 9.80 EPSS Score 0.04 EPSS Percentile 10.84

Remote Code Execution

Published: Dec. 12, 2024

Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability

Quotes

• CLFS is a logging service that supports user and kernel-mode operations
• An attacker who successfully exploited this vulnerability could gain SYSTEM privileges
• Ransomware authors who have abused previous CLFS vulnerabilities will be only too pleased to get their hands on a fresh one
• An unauthenticated attacker who successfully exploited this vulnerability could gain code execution through a specially crafted set of LDAP calls to execute arbitrary code within the context of the LDAP service
• Although the advisory doesn’t provide much detail on the means of exploitation, the weakness is CWE-122: Heap-based Buffer Overflow, which most commonly leads to crashes/denial of service, but can also lead to code execution
• Though in-the-wild exploitation details aren’t known yet, looking back at the history of CLFS driver vulnerabilities, it is interesting to note that ransomware operators have developed a penchant for exploiting CLFS elevation of privilege flaws over the last few years

Headlines

• Dec. 11, 2024 - Microsoft Fixes 71 CVEs Including Actively Exploited Zero-Day
• Dec. 11, 2024 - December Patch Tuesday arrives bearing 71 gifts
• Dec. 11, 2024 - Microsoft Fixes 72 Flaws, Including Patch for Actively Exploited CLFS Vulnerability
• Dec. 11, 2024 - Patch Tuesday, December 2024 Edition –
• Dec. 10, 2024 - Microsoft December 2024 Patch Tuesday addressed actively exploited zero-day
• Dec. 10, 2024 - Microsoft Fixes Zero-Day, Critical RCEs in Patch Tuesday
• Dec. 10, 2024 - Microsoft fixes exploited zero-day (CVE-2024-49138)
• Dec. 10, 2024 - Microsoft Patch Tuesday for December 2024 contains four critical vulnerabilities
• Dec. 10, 2024 - Microsoft closes 2024 with 72 fixes on final Patch Tuesday

CVE-2020-12271

CRITICAL CVSS 9.80 EPSS Score 1.67 EPSS Percentile 88.14

CISA Known Exploited Actively Exploited Remote Code Execution Used In Ransomware

Published: April 27, 2020

A SQL injection issue was found in SFOS 17.0, 17.1, 17.5, and 18.0 before 2020-04-25 on Sophos XG Firewall devices, as exploited in the wild in April 2020. This affected devices configured with either the administration (HTTPS) service or the User Portal exposed on the WAN zone. A successful attack may have caused remote code execution that exfiltrated usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access (but not external Active Directory or LDAP passwords)

Vendor Impacted: Sophos

Products Impacted: Xg Firewall, Sfos

Quotes

• Guan and his co-conspirators worked at the offices of Sichuan Silence Information Technology Co. Ltd. to discover and exploit a previously-unknown vulnerability (an
• The defendant and his conspirators compromised tens of thousands of firewalls and then continued to hold at risk these devices, which protect computers in the United States and around the world
• Guan competed on behalf of Sichuan Silence in cyber security tournaments and posted recently discovered zero-day exploits on vulnerability and exploit forums, including under his moniker GbigMao
• Guan Tianfeng is wanted for his alleged role in conspiring to access Sophos firewalls without authorization, cause damage to them, and retrieve and exfiltrate data from both the firewalls themselves and the computers behind these firewalls

Headlines

• Dec. 11, 2024 - Chinese Hacker Pwns 81K Sophos Devices With Zero-Day
• Dec. 11, 2024 - Chinese national charged for hacking thousands of Sophos firewalls
• Dec. 11, 2024 - U.S. Charges Chinese Hacker for Exploiting Zero-Day in 81,000 Sophos Firewalls
• Dec. 11, 2024 - US names Chinese man alleged to have exploited Sophos 0-day

CVE-2024-11773

CRITICAL CVSS 9.10 EPSS Score 0.04 EPSS Percentile 10.84

Risk Context N/A

Published: Dec. 10, 2024

SQL injection in the admin web console of Ivanti CSA before version 5.0.3 allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.

Quotes

• We are not aware of any customers being exploited by these vulnerabilities prior to public disclosure
• An authentication bypass in the admin web console of Ivanti CSA before 5.0.3 allows a remote unauthenticated attacker to gain administrative access

Headlines

• Dec. 11, 2024 - Ivanti fixed a maximum severity vulnerability in its CSA solution
• Dec. 11, 2024 - Three more vulns in Ivanti CSA, all critical, one 10/10
• Dec. 11, 2024 - CVE-2024-11639 (CVSS 10) - Critical Flaw in Ivanti Cloud Services Application: Immediate Patch Recommended

CVE-2024-11772

CRITICAL CVSS 9.10 EPSS Score 0.04 EPSS Percentile 10.84

Remote Code Execution

Published: Dec. 10, 2024

Command injection in the admin web console of Ivanti CSA before version 5.0.3 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Quotes

• We are not aware of any customers being exploited by these vulnerabilities prior to public disclosure
• An authentication bypass in the admin web console of Ivanti CSA before 5.0.3 allows a remote unauthenticated attacker to gain administrative access

Headlines

• Dec. 11, 2024 - Ivanti fixed a maximum severity vulnerability in its CSA solution
• Dec. 11, 2024 - Three more vulns in Ivanti CSA, all critical, one 10/10
• Dec. 11, 2024 - CVE-2024-11639 (CVSS 10) - Critical Flaw in Ivanti Cloud Services Application: Immediate Patch Recommended

CVE-2024-8963

CRITICAL CVSS 9.10 EPSS Score 96.72 EPSS Percentile 99.72

CISA Known Exploited Public Exploits Available

Published: Sept. 19, 2024

Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality.

Vendor Impacted: Ivanti

Products Impacted: Cloud Services Appliance (Csa), Endpoint Manager Cloud Services Appliance

Quotes

• An authentication bypass in the admin web console of Ivanti CSA before 5.0.3 allows a remote unauthenticated attacker to gain administrative access
• We are not aware of any customers being exploited by these vulnerabilities prior to public disclosure. These vulnerabilities were disclosed through our responsible disclosure program

Headlines

• Dec. 11, 2024 - Ivanti fixed a maximum severity vulnerability in its CSA solution
• Dec. 11, 2024 - Three more vulns in Ivanti CSA, all critical, one 10/10
• Dec. 10, 2024 - Ivanti warns of maximum severity CSA auth bypass vulnerability

CVE-2024-50623

HIGH CVSS 8.80 EPSS Score 0.05 EPSS Percentile 23.41

CISA Known Exploited Actively Exploited Remote Code Execution Used In Ransomware Public Exploits Available

Published: Oct. 28, 2024

In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to remote code execution.

Vendor Impacted: Cleo

Product Impacted: Multiple Products

Quotes

• Suggesting the existence of a separate means of compromise
• Unauthenticated malicious hosts vulnerability that could lead to remote code execution
• File transfer software continues to be a target for adversaries, and for financially motivated threat actors in particular
• This vulnerability is being actively exploited in the wild and fully patched systems running 5.8.0.21 are still exploitable
• Termite ransomware group operators (and maybe other groups) have a zero day exploit for Cleo LexiCom, VLTransfer, and Harmony
• We’ve directly observed evidence of threat actors exploiting this software en masse and performing post-exploitation activity
• After applying the patch, errors are logged for any files found at startup related to this exploit, and those files are removed
• The majority of customers that we saw compromised deal with consumer products, food industry, trucking, and shipping industries
• The script establishes a TCP connection to a suspicious external host and retrieves a payload, which is decrypted into a JAR file and executed within Cleo’s embedded Java runtime
• Based on Cleo actively working to craft a new patch and designate a new CVE, it’s fair to assume the December exploitation is a separate issue from the October CVE, but truthfully Cleo is the only source that will know for sure
• We’ve discovered at least 10 businesses whose Cleo servers were compromised with a notable uptick in exploitation observed on December 8 around 07:00 UTC. After some initial analysis, however, we have found evidence of exploitation as early as December 3
• From our telemetry, we’ve discovered at least 10 businesses whose Cleo servers were compromised with a notable uptick in exploitation observed on December 8 around 07:00 UTC. After some initial analysis, however, we have found evidence of exploitation as early as December 3

Headlines

• Dec. 13, 2024 - Cleo MFT Zero-Day Exploits Are About Escalate
• Dec. 13, 2024 - CISA confirms critical Cleo bug exploitation in ransomware attacks
• Dec. 13, 2024 - Modular Java Backdoor Emerges in Cleo Exploitation Campaign (CVE-2024-50623)
• Dec. 12, 2024 - Cleo patches critical zero-day exploited in data theft attacks
• Dec. 12, 2024 - Cleo patches zero-day exploited by ransomware gang
• Dec. 12, 2024 - PoC Exploit Code Releases Cleo Zero-Day Vulnerability (CVE-2024-50623)
• Dec. 11, 2024 - Zero Day in Cleo File Transfer Software Exploited En Masse
• Dec. 10, 2024 - 'Termite' Ransomware Likely Behind Cleo Zero-Day Attacks
• Dec. 10, 2024 - Cleo File Transfer Vulnerability Under Exploitation – Patch Pending, Mitigation Urged
• Dec. 10, 2024 - New Cleo zero-day RCE flaw exploited in data theft attacks
• Dec. 10, 2024 - Fully patched Cleo products under '0-day-ish' mass attack
• Dec. 10, 2024 - Attackers actively exploiting flaw(s) in Cleo file transfer software (CVE-2024-50623)
• Dec. 10, 2024 - CVE-2024-50623: Critical Vulnerability in Cleo Software Actively Exploited in the Wild
• Dec. 9, 2024 - Cleo Software Actively Being Exploited in the Wild | Huntress

CVE-2024-49117

HIGH CVSS 8.80 EPSS Score 0.04 EPSS Percentile 10.84

Remote Code Execution

Published: Dec. 12, 2024

Windows Hyper-V Remote Code Execution Vulnerability

Quotes

• CLFS is a logging service that supports user and kernel-mode operations
• An attacker who successfully exploited this vulnerability could gain SYSTEM privileges
• An unauthenticated attacker who successfully exploited this vulnerability could gain code execution through a specially crafted set of LDAP calls to execute arbitrary code within the context of the LDAP service

Headlines

• Dec. 11, 2024 - December Patch Tuesday arrives bearing 71 gifts
• Dec. 11, 2024 - Microsoft Fixes 72 Flaws, Including Patch for Actively Exploited CLFS Vulnerability
• Dec. 10, 2024 - Microsoft December 2024 Patch Tuesday addressed actively exploited zero-day
• Dec. 10, 2024 - Microsoft Fixes Zero-Day, Critical RCEs in Patch Tuesday
• Dec. 10, 2024 - Microsoft Patch Tuesday for December 2024 contains four critical vulnerabilities

CVE-2024-49138

HIGH CVSS 7.80 EPSS Score 1.18 EPSS Percentile 85.69

CISA Known Exploited Actively Exploited Remote Code Execution

Published: Dec. 12, 2024

Windows Common Log File System Driver Elevation of Privilege Vulnerability

Vendor Impacted: Microsoft

Products Impacted: Windows, Windows Server 2012, Windows Server 2019, Windows Server 2016, Windows 10 1507, Windows Server 2022 23h2, Windows 11 23h2, Windows 10 21h2, Windows Server 2008, Windows Server 2025, Windows 10 1809, Windows 10 1607, Windows 11 22h2, Windows Server 2022, Windows 11 24h2, Windows 10 22h2

Quotes

• CLFS is a logging service that supports user and kernel-mode operations
• An attacker who successfully exploited this vulnerability could gain SYSTEM privileges
• Ransomware authors who have abused previous CLFS vulnerabilities will be only too pleased to get their hands on a fresh one
• Microsoft Windows Common Log File System (CLFS) driver contains a heap-based buffer overflow vulnerability that allows a local attacker to escalate privileges
• An unauthenticated attacker who successfully exploited this vulnerability could gain code execution through a specially crafted set of LDAP calls to execute arbitrary code within the context of the LDAP service
• Although the advisory doesn’t provide much detail on the means of exploitation, the weakness is CWE-122: Heap-based Buffer Overflow, which most commonly leads to crashes/denial of service, but can also lead to code execution
• Though in-the-wild exploitation details aren’t known yet, looking back at the history of CLFS driver vulnerabilities, it is interesting to note that ransomware operators have developed a penchant for exploiting CLFS elevation of privilege flaws over the last few years

Headlines

• Dec. 11, 2024 - Microsoft Fixes 71 CVEs Including Actively Exploited Zero-Day
• Dec. 11, 2024 - December Patch Tuesday arrives bearing 71 gifts
• Dec. 11, 2024 - Microsoft Fixes 72 Flaws, Including Patch for Actively Exploited CLFS Vulnerability
• Dec. 11, 2024 - Patch Tuesday, December 2024 Edition –
• Dec. 11, 2024 - Microsoft Addresses Critical Zero-Day CVE-2024-49138 & 72 Additional Flaws in December Patch Tuesday
• Dec. 11, 2024 - U.S. CISA adds Microsoft Windows CLFS driver flaw to its Known Exploited Vulnerabilities catalog
• Dec. 10, 2024 - Microsoft December 2024 Patch Tuesday addressed actively exploited zero-day
• Dec. 10, 2024 - Microsoft Fixes Zero-Day, Critical RCEs in Patch Tuesday
• Dec. 10, 2024 - Microsoft fixes exploited zero-day (CVE-2024-49138)
• Dec. 10, 2024 - Microsoft Patch Tuesday for December 2024 contains four critical vulnerabilities
• Dec. 10, 2024 - Microsoft closes 2024 with 72 fixes on final Patch Tuesday
• Dec. 10, 2024 - Microsoft December 2024 Patch Tuesday fixes 1 exploited zero-day, 71 flaws

CVE-2024-54143

CVSS Not Assigned EPSS Score 0.04 EPSS Percentile 10.84

Actively Exploited Remote Code Execution

Published: Dec. 6, 2024

openwrt/asu is an image on demand server for OpenWrt based distributions. The request hashing mechanism truncates SHA-256 hashes to only 12 characters. This significantly reduces entropy, making it feasible for an attacker to generate collisions. By exploiting this, a previously built malicious image can be served in place of a legitimate one, allowing the attacker to "poison" the artifact cache and deliver compromised images to unsuspecting users. This can be combined with other attacks, such as a command injection in Imagebuilder that allows malicious users to inject arbitrary commands into the build process, resulting in the production of malicious firmware images signed with the legitimate build key. This has been patched with 920c8a1.

Quotes

• Due to the combination of the command injection in the imagebuilder image and the truncated SHA-256 hash included in the build request hash, an attacker can pollute the legitimate image by providing a package list that causes the hash collision
• Due to the combination of the command injection in the 'openwrt/imagebuilder' image and the truncated SHA-256 hash included in the build request hash, an attacker can pollute the legitimate image by providing a package list that causes the hash collision
• The Attended SysUpgrade (ASU) facility allows an OpenWrt device to update to new firmware while preserving the packages and settings. This dramatically simplifies the upgrade process: just a couple clicks and a short wait lets you retrieve and install a new image built with all your previous packages

Headlines

• Dec. 13, 2024 - Critical OpenWrt Vulnerability Exposes Devices to Malicious Firmware Injection
• Dec. 10, 2024 - CVE-2024-54143: Critical Vulnerability in OpenWrt's Attended SysUpgrade Server Allows for Firmware Poisoning
• Dec. 9, 2024 - OpenWrt Sysupgrade flaw let hackers push malicious firmware images
• Dec. 9, 2024 - OpenWrt supply chain attack scare prompts urgent upgrades