A critical vulnerability, CVE-2024-50623, has been discovered in Cleo's file transfer products, resulting in a wave of active exploitation campaigns. This flaw allows unrestricted file uploads and downloads, enabling attackers to execute unauthorized code remotely.
The good news: SFTP To Go customers are unaffected. No action is needed on your part, because you use SFTP To Go!
In case you’re curious, here’s what we know about the vulnerability, and why you can rest assured your data is secure.
What Is CVE-2024-50623?
On December 5, 2024, Cleo disclosed a major vulnerability in the following products:
- Cleo Harmony: Versions prior to 5.8.0.21
- Cleo VLTrader: Versions prior to 5.8.0.21
- Cleo LexiCom: Versions prior to 5.8.0.21
The vulnerability, categorized as CVE-2024-50623, lets attackers upload and download files without restriction, potentially leading to remote code execution (RCE) incidents.
Cleo promptly released version 5.8.0.21 to address the issue, but subsequent reports revealed the patch was incomplete. Cleo plans to release a full fix in version 5.8.0.23, expected soon—but the clock is ticking!
Cleo exploitation: what was the cost
Damages have yet to be tallied, but the exploitation of this vulnerability began as early as December 3, 2024, targeting internet-facing Cleo instances running unpatched or outdated software.
Attackers have reportedly used the flaw in ransomware campaigns, with links to the Termite ransomware group.
Organizations relying on Cleo products have been advised to disconnect internet-facing systems until the new patch is available, or risk costly repercussions.
Why SFTP To Go Is safe from CVE-2024-50623
Managed and hosted vs. customer-managed instances
Cleo: Customers host Cleo products on their own infrastructure, maintaining individual instances. This model relies on administrators to apply patches, which can leave systems vulnerable if updates are delayed or missed.
SFTP To Go: We’re fully cloud-managed, running on AWS. All updates are applied centrally across our cross region, multi-AZ architecture. You don’t manage servers or worry about missing critical patches—we do that all for you.
Attack surface and network exposure
Cleo: Instances are often internet-facing, exposing endpoints directly. CVE-2024-50623 exploited this design to bypass restrictions and execute unauthorized code.
SFTP To Go: Access can be restricted using inbound network rules, allowing connections only from whitelisted IPs or ranges. Public exposure is never the default configuration, reducing the attack surface.
Secure protocols and user isolation
Cleo: Filesystem operations allowed attackers to manipulate unrestricted uploads and downloads, bypassing user-level controls.
SFTP To Go: We enforce strict user isolation through chroot directories, ensuring users can only access their designated home directories. Data in transit uses secure protocols (SFTP, FTPS, HTTPS) with AES-256 encryption, to prevent unauthorized manipulation.
Real-time monitoring and automation
Cleo: Manual patching and reactive processes delayed vulnerability remediation.
SFTP To Go: Automated updates are applied in real time across the platform. Webhooks notify administrators of key events like uploads or deletions, for proactive responses.
Encryption and compliance
Cleo: Encryption may have protected data, but unrestricted file operations may have rendered it ineffective in preventing exploits.
SFTP To Go: Data is encrypted in transit and at rest with AES-256 on AWS S3. We’re compliant with HIPAA, GDPR, and SOC2, ensuring secure, standards-based handling of sensitive data.
The moral of the story
The Cleo vulnerability is an unfortunate reminder that bad actors are always on the hunt for inroads. With SFTP To Go, you’re protected against these risks. We are pro-active in our security approach, not reactive.
Here’s why this matters:
- No emergency patching or system downtime—we take care of updates for you.
- No risk of public-facing systems being exploited.
- A platform designed for security, scalability, and compliance.
If you have any questions or concerns, please reach out. Our team is here to support you.
We’re committed to ensuring secure, reliable file transfers so you can focus on your business without worrying about vulnerabilities like CVE-2024-50623.
—The SFTP To Go Team
Try SFTP To Go for free!