CVE-2024-55956 is being actively exploited in the wild, targeting Cleo file transfer tools: Harmony, VLTrader, and LexiCom. A well-known ransomware group, Cl0p, has claimed responsibility for these attacks, which leverage a vulnerability that allows for remote code execution. The Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and has ordered federal agencies to apply the patch by January 2025.
| Product | Cleo Products |
| Date | 2024-12-18 09:25:52 |
| Information |
|
Technical Summary
The vulnerability, identified as CVE-2024-55956, affects versions of Cleo Harmony, VLTrader, and LexiCom prior to 5.8.0.24. Exploitation occurs due to improper handling of default settings in the Autorun directory, allowing unauthenticated attackers to import and execute arbitrary Bash or PowerShell commands. This flaw has a different root cause than CVE-2024-50623, although both vulnerabilities target similar codebases and endpoints. Attackers have exploited this weakness to conduct reconnaissance, execute commands, exfiltrate sensitive files, and deploy ransomware, with a significant impact on affected organizations.
Recommendations
Update to the latest secure version: For Harmony, VLTrader, and LexiCom, update immediately to version 5.8.0.24 or later.
[Callforaction-THREAT-Footer]
