CVE-2024-55956
📋 TL;DR
This vulnerability allows unauthenticated attackers to execute arbitrary Bash or PowerShell commands on affected Cleo systems by exploiting the default Autorun directory settings. It affects Cleo Harmony, VLTrader, and LexiCom versions before 5.8.0.24. This is a critical remote code execution vulnerability with a CVSS score of 9.8.
💻 Affected Systems
- Cleo Harmony
- VLTrader
- LexiCom
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise, data exfiltration, ransomware deployment, lateral movement across network, and persistent backdoor installation.
Likely Case
Initial foothold leading to data theft, credential harvesting, and deployment of additional malware payloads.
If Mitigated
Limited impact if network segmentation and strict access controls prevent lateral movement and external communication.
🎯 Exploit Status
Actively exploited in the wild according to CISA and Huntress reports. Exploitation requires no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.8.0.24
Vendor Advisory: https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Advisory-CVE-Pending
Restart Required: Yes
Instructions:
1. Download patch from Cleo support portal. 2. Backup current configuration. 3. Apply patch following vendor instructions. 4. Restart affected services. 5. Verify patch installation.
🔧 Temporary Workarounds
Disable Autorun Directory
allRemove or restrict access to the Autorun directory to prevent command injection.
# Linux: chmod 000 /path/to/autorun
# Windows: icacls "C:\path\to\autorun" /deny Everyone:(F)
Network Segmentation
allIsolate affected systems from internet and restrict internal network access.
🧯 If You Can't Patch
- Implement strict network segmentation and firewall rules to isolate affected systems
- Deploy application control/whitelisting to prevent unauthorized command execution
🔍 How to Verify
Check if Vulnerable:
Check if Cleo Harmony/VLTrader/LexiCom version is below 5.8.0.24 and Autorun directory has default permissions.Check Version:
# Check version in application interface or configuration filesVerify Fix Applied:
Verify version is 5.8.0.24 or higher and test Autorun directory functionality is restricted.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access to Autorun directory
- Unusual command execution patterns
- Failed authentication attempts to Cleo services
Network Indicators:
- Unexpected outbound connections from Cleo systems
- Command and control traffic patterns
SIEM Query:
source="cleo*" AND (event="autorun_access" OR cmd="*powershell*" OR cmd="*bash*")🔗 References
- https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Advisory-CVE-Pending
- https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Update
- https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-55956
