CVE-2024-55956 in Cleo Harmony, VLTrader, and LexiCom Actively Exploited

ISGroup Cybersecurity

CVE-2024-55956 is being actively exploited in the wild, targeting Cleo file transfer tools: Harmony, VLTrader, and LexiCom. A well-known ransomware group, Cl0p, has claimed responsibility for these attacks, which leverage a vulnerability that allows for remote code execution. The Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and has ordered federal agencies to apply the patch by January 2025.

ProductCleo Products
Date2024-12-18 09:25:52
Information
  • Trending
  • Fix Available
  • Active Exploitation

Technical Summary

The vulnerability, identified as CVE-2024-55956, affects versions of Cleo Harmony, VLTrader, and LexiCom prior to 5.8.0.24. Exploitation occurs due to improper handling of default settings in the Autorun directory, allowing unauthenticated attackers to import and execute arbitrary Bash or PowerShell commands. This flaw has a different root cause than CVE-2024-50623, although both vulnerabilities target similar codebases and endpoints. Attackers have exploited this weakness to conduct reconnaissance, execute commands, exfiltrate sensitive files, and deploy ransomware, with a significant impact on affected organizations.

Recommendations

Update to the latest secure version: For Harmony, VLTrader, and LexiCom, update immediately to version 5.8.0.24 or later.

[Callforaction-THREAT-Footer]