Remote Command Execution Vulnerability in Cleo Harmony, VLTrader, and LexiCom
CVE-2024-55956
Key Information:
- Vendor
- Cleo Harmony
- Status
- Lexicom
- Vltrader
- Harmony
- Vendor
- CVE Published:
- 13 December 2024
Badges
What is CVE-2024-55956?
CVE-2024-55956 represents a serious security vulnerability in Cleo Harmony and LexiCom, which are essential tools for data integration and managed file transfers used across various industries. This vulnerability allows an unauthenticated attacker to import and execute arbitrary Bash or PowerShell commands on the host system by exploiting default settings, notably in the Autorun directory. If left unaddressed, this flaw can lead to unauthorized system access, manipulation of sensitive data, and potentially compromise entire networks. Organizations relying on these tools could face severe disruptions, data loss, or reputational damage if exploited.
Technical Details
The technical mechanics of CVE-2024-55956 hinge upon the systems operating unlawfully within their default configurations. Specifically, versions before 5.8.0.24 of Cleo Harmony, VLTrader, and LexiCom are vulnerable, allowing a malicious actor to run commands without needing any authentication. Attackers can leverage this vulnerability in a few critical ways. They can inject malicious scripts through the Autorun feature, causing the system to execute these scripts with the permissions of any user or service running on that machine. The potential for command execution includes not only the ability to access and exfiltrate sensitive files but also to install additional malware, pivot to other systems, and maintain a persistent foothold on the target environment.
Potential Impact of CVE-2024-55956
-
Unauthorized Access and Control: This vulnerability allows attackers to gain full control over affected systems, potentially leading to unauthorized data access, system manipulation, and deployment of malicious software.
-
Data Breaches: Exploiting CVE-2024-55956 could result in severe data breaches for organizations, compromising sensitive information, intellectual property, or customer data, ultimately jeopardizing regulatory compliance and damaging public trust.
-
Operational Disruption: Following an exploit, organizations might experience significant operational disruptions, whether through system downtime, data loss recovery efforts, or remediation activities, all of which have lasting impacts on productivity and financial stability.
CISA Reported
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited and is known by the CISA as enabling ransomware campaigns.
The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
Get notified when SecurityVulnerability.io launches alerting π
Well keep you posted π§
News Articles
Cleo vulnerability attacks claimed by Clop ransomware gang
The group behind the 2023 MOVEit attacks says it is deleting previous victimsβ data to focus on its Cleo campaign.
Ransomware scum blow holes in Cleo software patches, Cl0p (sort of) claims responsibility
Supply chain integration vendor Cleo has urged its customers to upgrade three of its products after an October security update was circumvented, leading to widespread ransomware attacks that Russia-linked...
Cleo zero-day vulnerability gets CVE as attacks continue | TechTarget
A zero-day vulnerability disclosed last week that impacts three of Cleo's managed file transfer products finally got a CVE designation: CVE-2024-55956.
References
EPSS Score
92% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- π‘
Public PoC available
- π°
Used in Ransomware
- π¦
CISA Reported
- πΎ
Exploit known to exist
- π°
First article discovered by SecurityWeek
Vulnerability published