Cyber Resilience

CVE-2024-55956

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linkedRCE

Published: 13 December 2024

Published
13 December 2024
Modified
04 November 2025
KEV Added
17 December 2024
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9122 99.7th percentile
Risk Priority 94 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-55956 is a critical-severity Command Injection (CWE-77) vulnerability in Cleo Harmony. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-17 (Remote Access) and AC-3 (Access Enforcement).

Deeper analysis

Cleo Harmony, VLTrader, and LexiCom versions prior to 5.8.0.24 contain a command injection vulnerability tracked as CVE-2024-55956 and CWE-77. The flaw allows an unauthenticated remote user to import and execute arbitrary Bash or PowerShell commands on the underlying host by abusing the products' default Autorun directory configuration. The issue carries a CVSS 3.1 score of 9.8, reflecting network-accessible attack complexity that requires no credentials or user interaction.

An attacker can send specially crafted files or commands to the affected transfer-management software and obtain arbitrary code execution with the privileges of the service account. Successful exploitation grants full control over the host system, enabling data theft, persistence, lateral movement, or ransomware deployment.

Cleo has published security advisories and remediation guidance directing customers to upgrade to version 5.8.0.24 or later. The vulnerability appears in CISA's Known Exploited Vulnerabilities catalog, confirming that federal agencies must apply the vendor patch according to the published timeline.

Huntress has reported active exploitation of the flaw in the wild. The associated EPSS score reached a peak of 0.9675 and currently stands at 0.9122, indicating sustained attacker interest after disclosure.

EU & UK References

Vulnerability details

In Cleo Harmony before 5.8.0.24, VLTrader before 5.8.0.24, and LexiCom before 5.8.0.24, an unauthenticated user can import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory.

CWE(s)
KEV Date Added
17 December 2024

Related Threats

Threat-Actor AttributionAI

Cl0p
CISA KEV ransomware-use flag plus Huntress reporting tie active exploitation of this Cleo MFT zero-day to the Cl0p crew.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.001 PowerShell Execution
Adversaries may abuse PowerShell commands and scripts for execution.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Unauthenticated RCE vulnerability in public-facing Cleo file transfer software (Harmony, VLTrader, LexiCom) via Autorun directory enables exploitation of public-facing applications and arbitrary execution of PowerShell or Bash/Unix shell commands.

Affected Assets

cleo
harmony
≤ 5.8.0.24
cleo
lexicom
≤ 5.8.0.24
cleo
vltrader
≤ 5.8.0.24

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and authorization checks before permitting any import or execution of files from the Autorun directory, blocking the unauthenticated command injection path.

prevent

Requires explicit authorization, encryption, and monitoring of all remote connections, eliminating the open unauthenticated network access that allows arbitrary Bash/PowerShell execution.

prevent

Restricts the system to only the minimum required functionality, disabling or sandboxing the default Autorun directory behavior that blindly executes untrusted scripts.

References