Date of Disclosure (source): December 10, 2024
Date Reported as Actively Exploited (source): December 17, 2024
Last week, we reported on CVE-2024-50623 in multiple Cleo file transfer products, an unrestricted file upload vulnerability that was disclosed and reported actively exploited on December 9, 2024. Cleo released a patch in version 5.8.0.21 to address this vulnerability, but reports indicated that this patch remained vulnerable to exploitation.
Shortly after, an unrelated and more critical vulnerability, CVE-2024-55956, was identified that allows an unauthenticated user to run arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory in Cleo products Harmony, VLTrader, and LexiCom. This CVE is still awaiting analysis by the NVD.
This vulnerability has been actively exploited in the wild since December 3, and the Cl0p ransomware group claimed responsibility for targeting it in a mass exploitation campaign. However, a new ransomware group, Termite, was initially suspected of the attacks, with some researchers suggesting Termite may be a successor to Cl0p. Cl0p has taken credit but such claims are not definitive proof of attribution.
| Field |
Details |
| CVE-ID |
CVE-2024-55956 – CVSS 9.8 (critical) – assigned by CISA ADP |
| Vulnerability Description |
In Cleo Harmony before 5.8.0.24, VLTrader before 5.8.0.24, and LexiCom before 5.8.0.24, an unauthenticated user can import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory. |
| Date of Disclosure |
December 10, 2024 |
| Affected Assets |
The following Cleo products are affected:
- Cleo Harmony
- Cleo VLTrader
- Cleo LexiCom
|
| Vulnerable Software Versions |
Versions before 5.8.0.24. |
| PoC Available? |
Rapid7 provided a detailed analysis of CVE-2024-55956 in their blog. Additionally, Ostorlab shared a public exploit in their GitHub repository. |
| Exploitation Status |
This vulnerability was added to CISA KEV on December 17, 2024. |
| Patch Status |
Cleo strongly advises all customers to immediately upgrade instances of Harmony, VLTrader, and LexiCom to the latest released patch (version 5.8.0.24) to address this vulnerability. |
Censys Perspective
At the time of writing, Censys observed 1,442 exposed Cleo Harmony, VLTrader, and LexiCom instances online. A large proportion of these (63%) are geolocated in the United States. Of these exposures, 1,011 hosts, or 70%, were observed running an unpatched version < 5.8.0.24.
Map of Exposed and Vulnerable Cleo instances:
Note that the Search and ASM queries below are for discovery of all affected Cleo products regardless of version, while the ASM Risk query specifically pinpoints vulnerable instances for Censys ASM customers.
Censys Search Query:
services.software.vendor = "Cleo" and services.software:(product="VLTrader" or product="Harmony" or product="LexiCom")
Censys ASM Query:
host.services.software.vendor = "Cleo" and host.services.software:(product="VLTrader" or product="Harmony" or product="LexiCom")
Censys ASM Risk Query:
risks.name: "Vulnerable Cleo Instance [CVE-2024-55956]"
Note that this risk was recently deployed and results may take 24 hours to fully propagate.
References
