Following our recent update regarding the Cole vulnerability, we would like to inform you that our team is still actively researching this issue.
we have published two new hunting queries for identifying PowerShell spawned from Cleo software and Java spawning suspicious powershell commands. Both being observed as possible post-exploitation activity of Cleo software.
Axon reports have also been published for Team Axon customers, including the updated list of deliverables.
We continue to monitor the Cole vulnerability and will provide further updates as necessary. Should you have any questions regarding the queries or any other concerns, please don't hesitate to reach out.
Sincerely, Team Axon
Posted Dec 16, 2024 - 17:00 UTC
Investigating
Team AXON is aware of a publication about a critical RCE flaw related to Cleo, affecting Cleo servers. This vulnerability, according to the publications allows a remote unauthenticated attacker to import and execute bash or PowerShell commands by exploiting the default Autorun folder settings.
Cleo strongly advises all customers to immediately upgrade instances of Harmony, VLTrader, and LexiCom to the latest released patch (version 5.8.0.24) to address additional discovered potential attack vectors of the vulnerability. Customers who cannot immediately upgrade are advised to disable the Outrun feature by going into the System Options and clearing out the Autorun directory.
The vulnerability is still under team AXON's evaluation, our team will provide updates after deeply analyzing and assessing the vulnerability, including potential deliverables. In case of identification of impacted customers, they will be notified directly.
For further assistance, please don't hesitate to contact us.