A critical vulnerability has been discovered in the Cl0p cybercrime gang’s custom data exfiltration tool, which exposes the group itself to potential remote code execution (RCE) attacks. This flaw, rated with a severity score of 8.9, was found by Italian researcher Lorenzo N and detailed by the Computer Incident Response Center Luxembourg (CIRCL).
Key details about the vulnerability
The data exfiltration tool is Python-based and was notably used during the 2023-2024 MOVEit mass data theft campaigns. The vulnerability is due to improper input validation (CWE-20): specifically, the software fails to sanitize input when handling file or directory names received from compromised machines. These unsanitized inputs are passed directly into a shell-escape sequence, allowing attacker-supplied strings to be concatenated into OS commands. If a maliciously named folder is loaded by Cl0p’s tool, it could trigger arbitrary command execution on the staging/collection host used by the gang.
Implications and expectations
Cl0p’s rivals or other attackers could exploit this RCE vulnerability to disrupt Cl0p’s operations or even steal data from the gang using their own exfiltration infrastructure. Security experts recommend Cl0p not patch the vulnerability immediately.
