Login Sign Up

CVE-2021-33576

9.8 CRITICAL
Path Traversal

📋 TL;DR

CVE-2021-33576 is a path traversal vulnerability in Cleo LexiCom AS2 file transfer software. Attackers can manipulate filenames in AS2 messages to write files to arbitrary locations on the server's filesystem. Organizations using Cleo LexiCom 5.5.0.0 for AS2 file transfers are affected.

💻 Affected Systems

Products:
  • Cleo LexiCom
Versions: 5.5.0.0
Operating Systems: Windows, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects AS2 message processing functionality. Requires AS2 communication to be enabled and processing incoming messages.

📦 What is this software?

Lexicom by Cleo

View all CVEs affecting Lexicom →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution via writing malicious files to critical system locations, complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Unauthorized file writes to sensitive directories, potential data corruption, or denial of service by overwriting critical files.

🟢

If Mitigated

Limited impact if proper file system permissions restrict write access to non-critical directories only.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending a specially crafted AS2 message with path traversal characters in filename field. Public proof-of-concept available in advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.5.0.1 or later

Vendor Advisory: https://www.cleo.com/cleo-lexicom

Restart Required: Yes

Instructions:

1. Download latest Cleo LexiCom version from vendor portal. 2. Backup current configuration. 3. Install update following vendor instructions. 4. Restart LexiCom services. 5. Verify AS2 functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement custom validation to reject AS2 messages containing path traversal sequences in filenames

Custom implementation required - no standard commands

Restrict File System Permissions

all

Configure LexiCom service account with minimal write permissions to specific directories only

chmod 755 /var/lexicom/files (Linux)
icacls C:\LexiCom\Files /grant Users:RX (Windows)

🧯 If You Can't Patch

  • Implement network segmentation to isolate LexiCom servers from critical systems
  • Deploy web application firewall (WAF) with path traversal detection rules for AS2 traffic

🔍 How to Verify

Check if Vulnerable:

Check LexiCom version via admin interface or configuration files. Version 5.5.0.0 is vulnerable.

Check Version:

Check LexiCom admin console or configuration file version setting

Verify Fix Applied:

Verify version is 5.5.0.1 or later. Test AS2 file upload with path traversal attempts should be rejected.

📡 Detection & Monitoring

Log Indicators:

  • AS2 messages with filenames containing ../ or ..\ patterns
  • File write errors to unexpected directories
  • Unauthorized file creation in system directories

Network Indicators:

  • AS2 traffic with unusual filename patterns
  • Multiple failed file write attempts

SIEM Query:

source="lexicom" AND (filename="*../*" OR filename="*..\*")

📊 Metadata

CVE ID: CVE-2021-33576
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-22
Published: June 18, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-33576, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)