The bug was originally patched in October.
Users of the Cleo Harmony, LexiCom, and VLTrader managed file transfer products have been urged to promptly apply a new fix for the actively exploited zero-day vulnerability.
Tracked as CVE-2024-50623, Cleo said it “continues to work proactively to support customers and has extended enhanced 24/7 customer support services to those needing additional technical assistance in addressing this vulnerability.”
According to The Record, the bug was initially tagged as CVE-2024-50623 in October and patched by the company, but researchers from cybersecurity firm Huntress discovered that systems were still vulnerable even after applying the fix.
Around two dozen organizations, primarily in the retail, shipping, and consumer products sectors, were reported by Huntress to have been compromised in attacks exploiting the Cleo zero-day.
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.
