CVE-2024-55956
Cleo Multiple Products Unauthenticated File Upload Vulnerability - [Actively Exploited]
Description
In Cleo Harmony before 5.8.0.24, VLTrader before 5.8.0.24, and LexiCom before 5.8.0.24, an unauthenticated user can import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory.
INFO
Published Date :
Dec. 13, 2024, 9:15 p.m.
Last Modified :
Oct. 21, 2025, 11:16 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
Cleo Harmony, VLTrader, and LexiCom, which are managed file transfer products, contain an unrestricted file upload vulnerability that could allow an unauthenticated user to import and execute arbitrary bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory.
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Update-CVE-2024-55956 ; https://nvd.nist.gov/vuln/detail/CVE-2024-55956
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | [email protected] | ||||
| CVSS 3.1 | CRITICAL | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
Solution
- Upgrade to Cleo Harmony version 5.8.0.24 or later.
- Upgrade to Cleo LexiCom version 5.8.0.24 or later.
- Upgrade to Cleo VLTrader version 5.8.0.24 or later.
Public PoC/Exploit Available at Github
CVE-2024-55956 has a 3 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2024-55956.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2024-55956 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2024-55956
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Proof of concept to use an arbitrary file write to achieve Remote Code Execution in Cleo Harmony, VLTrader, and LexiCom before 5.8.0.24.
Python
CISA Bot is a GitHub bot that automatically monitors the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog. When new vulnerabilities are published in the KEV, the bot creates GitHub issues in this repository with detailed information about each vulnerability.
Python
Ostorlab KEV: One-command to detect most remotely known exploitable vulnerabilities. Sourced from CISA KEV, Google's Tsunami, Ostorlab's Asteroid and Bug Bounty programs.
cisa-kev vulnerability 0day cisa exploits
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2024-55956 vulnerability anywhere in the article.
-
BleepingComputer
American Airlines subsidiary Envoy confirms Oracle data theft attack
Envoy Air, a regional airline carrier owned by American Airlines, confirms that data was compromised from its Oracle E-Business Suite application after the Clop extortion gang listed American Airlines ... Read more
-
BleepingComputer
Harvard investigating breach linked to Oracle zero-day exploit
Harvard University is investigating a data breach after the Clop ransomware gang listed the school on its data leak site, saying the alleged breach was likely caused by a recently disclosed zero-day v ... Read more
-
BleepingComputer
Oracle patches EBS zero-day exploited in Clop data theft attacks
Oracle is warning about a critical E-Business Suite zero-day vulnerability tracked as CVE-2025-61882 that allows attackers to perform unauthenticated remote code execution, with the flaw actively expl ... Read more
-
cybereason.com
Addressing the CL0P Extortion Campaign Targeting Oracle E-Business Suite (EBS) Users
Cybereason is continuing to investigate. Check the Cybereason blog for additional updates. Overview and What Cybereason Knows So Far July 2025, Oracle released security updates including 309 patches, ... Read more
-
BleepingComputer
Clop extortion emails claim theft of Oracle E-Business Suite data
Mandiant and Google are tracking a new extortion campaign where executives at multiple companies received emails claiming that sensitive data was stolen from their Oracle E-Business Suite systems Acco ... Read more
-
Help Net Security
AI gives ransomware gangs a deadly upgrade
Ransomware continues to be the major threat to large and medium-sized businesses, with numerous ransomware gangs abusing AI for automation, according to Acronis. Ransomware gangs maintain pressure on ... Read more
-
cybereason.com
CVE-2025-53770 & CVE-2025-53771: Critical On-Prem SharePoint Vulnerabilities
Cybereason is actively investigating exploitation of these vulnerabilities. Check the Cybereason blog for additional updates. Key Takeaways Two zero-day vulnerabilities discovered in on-premise Micros ... Read more
-
Cyber Security News
213% Increase in Ransomware Attacks Targeting Organizations With First Quarter of 2025
The first quarter of 2025 has witnessed an unprecedented surge in ransomware attacks, with 2,314 victims listed across 74 unique data leak sites, representing a staggering 213% increase compared to th ... Read more
-
The Hacker News
Google Reports 75 Zero-Days Exploited in 2024 — 44% Targeted Enterprise Security Products
Enterprise Security / Vulnerability Google has revealed that it observed 75 zero-day vulnerabilities exploited in the wild in 2024, down from 98 in 2023. Of the 75 zero-days, 44% of them targeted ente ... Read more
-
Google Cloud
Hello 0-Days, My Old Friend: A 2024 Zero-Day Exploitation Analysis
Written by: Casey Charrier, James Sadowski, Clement Lecigne, Vlad Stolyarov Executive Summary Google Threat Intelligence Group (GTIG) tracked 75 zero-day vulnerabilities exploited in the wild in 2024, ... Read more
-
The Register
Where it Hertz: Customer data driven off in Cleo attacks
Car hire giant Hertz has confirmed that customer information was stolen during the zero-day data raids on Cleo file transfer products last year. A breach notification was issued on Monday on behalf of ... Read more
-
BleepingComputer
Food giant WK Kellogg discloses data breach linked to Clop ransomware
US food giant WK Kellogg Co is warning employees and vendors that company data was stolen during the 2024 Cleo data theft attacks. Cleo software is a managed file transfer utility that was targeted by ... Read more
-
cybereason.com
CVE-2025-23006: Critical Vulnerability Discovered in SonicWall SMA 1000 Series
Key Takeaways Critical vulnerability discovered in SonicWall’s SMA 1000 series appliances, tracked as CVE-2025-23006. Impacted products include Appliance Management Console (AMC) and Central Managemen ... Read more
-
security.nl
Clop-groep claimt zestig slachtoffers via recente aanval op Cleo-software
De criminelen achter de Clop-ransomware claimen via de recente aanval op file sharing software van ontwikkelaar Cleo meer dan zestig slachtoffers te hebben gemaakt. Op de eigen 'Clop Leaks' website he ... Read more
-
The Register
Ransomware scum blow holes in Cleo software patches, Cl0p (sort of) claims responsibility
Supply chain integration vendor Cleo has urged its customers to upgrade three of its products after an October security update was circumvented, leading to widespread ransomware attacks that Russia-li ... Read more
-
Hackread - Latest Cybersecurity, Tech, Crypto & Hacking News
Cl0p Ransomware Exploits Cleo Vulnerability, Threatens Data Leaks
SUMMARY Cleo Vulnerability Exploited: The Cl0p ransomware group claims to have exploited a critical vulnerability in Cleo’s managed file transfer software, targeting businesses globally. Data Leak Thr ... Read more
-
security.nl
Shadowserver: bijna duizend kwetsbare Cleo-servers op internet
Op internet zijn bijna duizend servers te vinden die kwetsbare file sharing software van Cleo draaien, waarvan het allergrootste deel in de Verenigde Staten, op afstand gevolgd door Canada. Dat meldt ... Read more
-
security.nl
Clop-ransomware claimt verantwoordelijkheid voor datadiefstal via Cleo-lek
De criminelen achter de Clop-ransomware, die vijf jaar geleden nog systemen van de Universiteit van Maastricht infecteerden, zeggen achter de aanvallen te zitten waarbij misbruik wordt gemaakt van een ... Read more
-
BleepingComputer
Clop ransomware claims responsibility for Cleo data theft attacks
12/16/24 update: Article updated to include new information about Cleo CVE-2024-50623 and CVE-2024-55956 flaws. The Clop ransomware gang has confirmed to BleepingComputer that they are behind the rece ... Read more
-
security.nl
VS bevestigt misbruik van kritiek Cleo-lek bij ransomware-aanvallen
Een kritieke kwetsbaarheid in de file sharing software van softwarebedrijf Cleo wordt gebruikt bij ransomware-aanvallen, zo heeft het Amerikaanse cyberagentschap CISA bevestigd. Eerder stelden beveili ... Read more
The following table lists the changes that have been made to the
CVE-2024-55956 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Oct. 21, 2025
Action Type Old Value New Value Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-55956 -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Oct. 21, 2025
Action Type Old Value New Value Removed Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-55956 -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Oct. 21, 2025
Action Type Old Value New Value Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-55956 -
Modified Analysis by [email protected]
Mar. 14, 2025
Action Type Old Value New Value -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Feb. 05, 2025
Action Type Old Value New Value Added CWE CWE-77 Removed CWE CWE-276 -
Initial Analysis by [email protected]
Dec. 20, 2024
Action Type Old Value New Value Added CVSS V3.1 NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added CWE NIST CWE-77 Added CPE Configuration OR *cpe:2.3:a:cleo:harmony:*:*:*:*:*:*:*:* versions up to (excluding) 5.8.0.24 *cpe:2.3:a:cleo:lexicom:*:*:*:*:*:*:*:* versions up to (excluding) 5.8.0.24 *cpe:2.3:a:cleo:vltrader:*:*:*:*:*:*:*:* versions up to (excluding) 5.8.0.24 Changed Reference Type https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Advisory-CVE-Pending No Types Assigned https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Advisory-CVE-Pending Vendor Advisory Changed Reference Type https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Update No Types Assigned https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Update Vendor Advisory Changed Reference Type https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild No Types Assigned https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild Exploit, Third Party Advisory -
CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725
Dec. 18, 2024
Action Type Old Value New Value Added Date Added 2024-12-17 Added Due Date 2025-01-07 Added Required Action Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. Added Vulnerability Name Cleo Multiple Products Unauthenticated File Upload Vulnerability -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Dec. 16, 2024
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added CWE CWE-276 -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Dec. 13, 2024
Action Type Old Value New Value Added Reference https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Update Added Reference https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild -
New CVE Received by [email protected]
Dec. 13, 2024
Action Type Old Value New Value Added Description In Cleo Harmony before 5.8.0.24, VLTrader before 5.8.0.24, and LexiCom before 5.8.0.24, an unauthenticated user can import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory. Added Reference https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Advisory-CVE-Pending