CVE-2024-55956
Published: 13 December 2024
Summary
CVE-2024-55956 is a critical-severity Command Injection (CWE-77) vulnerability in Cleo Harmony. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-17 (Remote Access) and AC-3 (Access Enforcement).
Deeper analysis
Cleo Harmony, VLTrader, and LexiCom versions prior to 5.8.0.24 contain a command injection vulnerability tracked as CVE-2024-55956 and CWE-77. The flaw allows an unauthenticated remote user to import and execute arbitrary Bash or PowerShell commands on the underlying host by abusing the products' default Autorun directory configuration. The issue carries a CVSS 3.1 score of 9.8, reflecting network-accessible attack complexity that requires no credentials or user interaction.
An attacker can send specially crafted files or commands to the affected transfer-management software and obtain arbitrary code execution with the privileges of the service account. Successful exploitation grants full control over the host system, enabling data theft, persistence, lateral movement, or ransomware deployment.
Cleo has published security advisories and remediation guidance directing customers to upgrade to version 5.8.0.24 or later. The vulnerability appears in CISA's Known Exploited Vulnerabilities catalog, confirming that federal agencies must apply the vendor patch according to the published timeline.
Huntress has reported active exploitation of the flaw in the wild. The associated EPSS score reached a peak of 0.9675 and currently stands at 0.9122, indicating sustained attacker interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-52864
Vulnerability details
In Cleo Harmony before 5.8.0.24, VLTrader before 5.8.0.24, and LexiCom before 5.8.0.24, an unauthenticated user can import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory.
- CWE(s)
- KEV Date Added
- 17 December 2024
Related Threats
Threat-Actor AttributionAI
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated RCE vulnerability in public-facing Cleo file transfer software (Harmony, VLTrader, LexiCom) via Autorun directory enables exploitation of public-facing applications and arbitrary execution of PowerShell or Bash/Unix shell commands.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and authorization checks before permitting any import or execution of files from the Autorun directory, blocking the unauthenticated command injection path.
Requires explicit authorization, encryption, and monitoring of all remote connections, eliminating the open unauthenticated network access that allows arbitrary Bash/PowerShell execution.
Restricts the system to only the minimum required functionality, disabling or sandboxing the default Autorun directory behavior that blindly executes untrusted scripts.