CVE-2024-55956
Cleo Multiple Products Unauthenticated File Upload - [Actively Exploited]
Description
In Cleo Harmony before 5.8.0.24, VLTrader before 5.8.0.24, and LexiCom before 5.8.0.24, an unauthenticated user can import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory.
INFO
Published Date :
Dec. 13, 2024, 9:15 p.m.
Last Modified :
Dec. 20, 2024, 3:21 p.m.
Source :
[email protected]
Remotely Exploitable :
Yes !
Impact Score :
5.9
Exploitability Score :
3.9
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
Cleo Harmony, VLTrader, and LexiCom, which are managed file transfer products, contain an unrestricted file upload vulnerability that could allow an unauthenticated user to import and execute arbitrary bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory.
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Update-CVE-2024-55956 ; https://nvd.nist.gov/vuln/detail/CVE-2024-55956
Public PoC/Exploit Available at Github
CVE-2024-55956 has a 1 public PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2024-55956.
| URL | Resource |
|---|---|
| https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Advisory-CVE-Pending | Vendor Advisory |
| https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Update | Vendor Advisory |
| https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild | Exploit Third Party Advisory |
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Proof of concept to use an arbitrary file write to achieve Remote Code Execution in Cleo Harmony, VLTrader, and LexiCom before 5.8.0.24.
Python
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2024-55956 vulnerability anywhere in the article.
-
security.nl
Clop-groep claimt zestig slachtoffers via recente aanval op Cleo-software
De criminelen achter de Clop-ransomware claimen via de recente aanval op file sharing software van ontwikkelaar Cleo meer dan zestig slachtoffers te hebben gemaakt. Op de eigen 'Clop Leaks' website he ... Read more
-
The Register
Ransomware scum blow holes in Cleo software patches, Cl0p (sort of) claims responsibility
Supply chain integration vendor Cleo has urged its customers to upgrade three of its products after an October security update was circumvented, leading to widespread ransomware attacks that Russia-li ... Read more
-
Hackread - Latest Cybersecurity, Tech, Crypto & Hacking News
Cl0p Ransomware Exploits Cleo Vulnerability, Threatens Data Leaks
SUMMARY Cleo Vulnerability Exploited: The Cl0p ransomware group claims to have exploited a critical vulnerability in Cleo’s managed file transfer software, targeting businesses globally. Data Leak Thr ... Read more
-
security.nl
Shadowserver: bijna duizend kwetsbare Cleo-servers op internet
Op internet zijn bijna duizend servers te vinden die kwetsbare file sharing software van Cleo draaien, waarvan het allergrootste deel in de Verenigde Staten, op afstand gevolgd door Canada. Dat meldt ... Read more
-
security.nl
Clop-ransomware claimt verantwoordelijkheid voor datadiefstal via Cleo-lek
De criminelen achter de Clop-ransomware, die vijf jaar geleden nog systemen van de Universiteit van Maastricht infecteerden, zeggen achter de aanvallen te zitten waarbij misbruik wordt gemaakt van een ... Read more
-
BleepingComputer
Clop ransomware claims responsibility for Cleo data theft attacks
12/16/24 update: Article updated to include new information about Cleo CVE-2024-50623 and CVE-2024-55956 flaws. The Clop ransomware gang has confirmed to BleepingComputer that they are behind the rece ... Read more
-
security.nl
VS bevestigt misbruik van kritiek Cleo-lek bij ransomware-aanvallen
Een kritieke kwetsbaarheid in de file sharing software van softwarebedrijf Cleo wordt gebruikt bij ransomware-aanvallen, zo heeft het Amerikaanse cyberagentschap CISA bevestigd. Eerder stelden beveili ... Read more
-
Help Net Security
Cleo patches zero-day exploited by ransomware gang
Cleo has released a security patch to address the critical vulnerability that started getting exploited while still a zero-day to breach internet-facing Cleo Harmony, VLTrader, and LexiCom instances. ... Read more
-
huntress.com
Cleo Malichus Malware Analysis CVE-2024-55956| Huntress
Summary - CVE-2024-55956Huntress previously reported on malicious activity from the exploitation of a 0-day vulnerability in Cleo software. The malware being delivered through this exploitation has no ... Read more
-
The Hacker News
Cleo File Transfer Vulnerability Under Exploitation – Patch Pending, Mitigation Urged
Users of Cleo-managed file transfer software are being urged to ensure that their instances are not exposed to the internet following reports of mass exploitation of a vulnerability affecting fully pa ... Read more
-
Help Net Security
Attackers actively exploiting flaw(s) in Cleo file transfer software (CVE-2024-50623)
Attackers are exploiting a vulnerability (CVE-2024-50623) in file transfer software by Cleo – LexiCo, VLTransfer, and Harmony – to gain access to organizations’ systems, Huntress researchers warned on ... Read more
-
huntress.com
Cleo Software Actively Being Exploited in the Wild CVE-2024-55956 | Huntress
CVE-2024-55956 SummaryOn December 3, Huntress identified an emerging threat involving Cleo’s LexiCom, VLTransfer, and Harmony software, commonly used to manage file transfers. We’ve directly observed ... Read more
-
Darktrace
Phishing Attacks Surge Over 600% in the Buildup to Black Friday
Introduction: Nation state attacks on supply chainsIn recent years, supply chain attacks have surged in both frequency and sophistication, evolving into one of the most severe threats to organizations ... Read more
The following table lists the changes that have been made to the
CVE-2024-55956 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Dec. 20, 2024
Action Type Old Value New Value Added CVSS V3.1 NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added CWE NIST CWE-77 Added CPE Configuration OR *cpe:2.3:a:cleo:harmony:*:*:*:*:*:*:*:* versions up to (excluding) 5.8.0.24 *cpe:2.3:a:cleo:lexicom:*:*:*:*:*:*:*:* versions up to (excluding) 5.8.0.24 *cpe:2.3:a:cleo:vltrader:*:*:*:*:*:*:*:* versions up to (excluding) 5.8.0.24 Changed Reference Type https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Advisory-CVE-Pending No Types Assigned https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Advisory-CVE-Pending Vendor Advisory Changed Reference Type https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Update No Types Assigned https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Update Vendor Advisory Changed Reference Type https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild No Types Assigned https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild Exploit, Third Party Advisory -
CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725
Dec. 18, 2024
Action Type Old Value New Value Added Date Added 2024-12-17 Added Due Date 2025-01-07 Added Required Action Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. Added Vulnerability Name Cleo Multiple Products Unauthenticated File Upload Vulnerability -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Dec. 16, 2024
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added CWE CWE-276 -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Dec. 13, 2024
Action Type Old Value New Value Added Reference https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Update Added Reference https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild -
New CVE Received by [email protected]
Dec. 13, 2024
Action Type Old Value New Value Added Description In Cleo Harmony before 5.8.0.24, VLTrader before 5.8.0.24, and LexiCom before 5.8.0.24, an unauthenticated user can import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory. Added Reference https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Advisory-CVE-Pending
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2024-55956 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2024-55956
weaknesses.