External risk intelligence

Cleo Software: Command Execution Risk

CVE advisoryKnown Exploit

CVE-2024-55956

Certain Cleo products are susceptible to a vulnerability allowing unauthenticated command execution via default Autorun settings. This poses a risk of unauthorized system access and potential data compromise for affected organizations. The U.S. government has identified this as actively exploited.

4Halo Surface Signal

Cleo Harmony

before 5.8.0.24

External exposure likelihood

Halo Surface Signal score for CVE-2024-55956

The affected products (Cleo Harmony, VLTrader, and LexiCom) are managed file transfer solutions. These systems are commonly deployed as internet-facing gateways or edge services to facilitate external data exchange, making them inherently reachable from the internet in typical business configurations.

Horizon Alert

Summary of the vulnerability and why it matters

Certain Cleo products, including Harmony, VLTrader, and LexiCom, have a vulnerability that allows unauthenticated users to execute commands on the host system. This occurs when default settings are leveraged within the Autorun directory. The potential impact includes unauthorized command execution, leading to data compromise or system disruption.

Vulnerable Cleo software components.
Unauthenticated command execution flaw.
Potential for data loss or system compromise.

Attack Path

How an attacker could exploit the issue

An unauthenticated user can gain control of a host system by exploiting a vulnerability in the Autorun directory's default settings. This allows for the import and execution of arbitrary commands. The affected products include Cleo Harmony, VLTrader, and LexiCom.

Unauthenticated network access to the system.
User imports malicious file.
Arbitrary command execution occurs.

Live Threat

Current exploitation, exposure, and threat context

Exploitation of this vulnerability could allow an unauthenticated user to execute arbitrary commands on the host system. The attack leverages default settings within the Autorun directory, posing a significant risk to organizations using the affected Cleo products. Successful exploitation could lead to unauthorized access and control of the affected systems. The U.S. government has identified this vulnerability as actively exploited, indicating a high level of threat.

Likely attacker skill level: Low
Required access or conditions: Network access, unauthenticated
Business risk or urgency: High, actively exploited

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The organization's managed file transfer solutions, Cleo Harmony, VLTrader, and LexiCom, are susceptible to an unauthenticated command execution vulnerability. This issue arises from default settings allowing the import and execution of arbitrary Bash or PowerShell commands on the host system. The potential impact includes unauthorized system access and control, posing a significant business risk.

Identify all instances of Cleo Harmony, VLTrader, and LexiCom.
Limit network access to these systems.
Update software and confirm the fix.
Monitor for unusual system activity.

Frequently asked questions

What are Cleo Harmony, VLTrader, and LexiCom?

Cleo Harmony, VLTrader, and LexiCom are managed file transfer solutions designed for secure data exchange within and between organizations. They are crucial for businesses that need to move data reliably and securely.

How does CVE-2024-55956 enable command execution?

This vulnerability is a command injection flaw (CWE-77). Attackers can exploit default settings in the Autorun directory to import and execute arbitrary Bash or PowerShell commands on the host system, potentially leading to system compromise.

What conditions allow for exploitation of this flaw?

An unauthenticated user can exploit this flaw by importing specific files that leverage the default settings of the Autorun directory. This bypasses the need for any prior authentication to gain control.

Why is this vulnerability considered relevant to cyber threat intelligence?

This vulnerability is actively exploited in the wild by threat actors like CL0P, who aim for data theft and system compromise. Its impact is considered critical, and it has been identified as a significant risk by security researchers and government agencies.

What actions should be taken to address this vulnerability?

Organizations should immediately upgrade affected Cleo products to version 5.8.0.24 or higher. If an upgrade is not immediately possible, disabling the Autorun feature and limiting network access to these systems are recommended mitigation steps.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.