Skip to content
    December 17, 2024

    Vulnerabilities in Cleo Software Allow for Unauthenticated Remote Code Execution via CVE-2024-55956

    What Happened

    On December 9th, Huntress released a threat advisory reporting a vulnerability and active exploitation of the file transfer management software offered by Cleo, a software company known for its ‘ecosystem integration platform’.

    Designated as CVE-2024-55956, exploitation focuses on an unrestricted file upload and download vulnerability that could lead to remote code execution. This vulnerability affects versions prior to 5.8.0.24 of Cleo’s Harmony, VLTrader, and LexiCom software. It’s also important to note that this vulnerability has been confirmed to not require prior authentication before exploitation. Unauthenticated remote code execution vulnerabilities are valuable targets for threat actors because they allow direct system compromise without needing to bypass authentication controls or obtain valid credentials first. Huntress and Rapid7 have both confirmed observations of active exploitation attempts in the wild.

    CVE ID

    CVSS

    Summary

    CVE-2024-55956

    High - 8.8

    In Cleo Harmony before 5.8.0.24, VLTrader before 5.8.0.24, and LexiCom before 5.8.0.24, an unauthenticated user can import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory.

    It’s also important to note that there are two CVE ID’s being attributed to this vulnerability. This may be slightly confusing, so I wanted to help in offering an explanation. 

    • CVE-2024-50623 > issued to track the original remote code execution vulnerability disclosed by Cleo in October 2024. The patch released to address this CVE was revealed to be inadequate in preventing exploitation.
    • CVE-2024-55956 > issued to track the bypassing of the original patch and is the current CVE used to track these Cleo remote code execution vulnerabilities.

    If you are still unsure or don’t have time to dive into the specifics, just make sure your Cleo software is on 5.8.0.24 or higher. That way, you’re protected from both of these CVEs.

    What That Means

    Administrators managing Harmony, VLTrader, and LexiCom software should patch immediately to version 5.8.0.24 or higher. Vulnerabilities affecting these products can lead to remote code execution and allow an attacker into your network. Additionally, “in the wild” scanning and exploitation of these vulnerabilities has been confirmed by multiple sources.

    Exploitation of this vulnerability allows an attacker to gain a foothold in the network. From there, they may decide to pivot within the network or act more quickly and deploy ransomware right from the initial compromised host. In some confirmed instances of exploitation, defenders have seen attackers move further into the network and attempt to perform domain reconnaissance using tools such as nltest.

    Who’s Impacted

    The following list has been directly lifted from the Cleo Product Security Update for CVE-2024-55956

    • Cleo Harmony® (prior to version 5.8.0.24)
    • Cleo VLTrader® (prior to version 5.8.0.24)
    • Cleo LexiCom® (prior to version 5.8.0.24)

    How Would I Know and What Should I Do

    Several indicators of compromise have been revealed by Huntress researchers:

    File artifacts under your Harmony, VLTrader, or LexiCom installation directory, typically under C:\ or C:\Program Files (x86) - e.g. C:\LexiCom or C:\Program Files (x86)\Lexicom. Several IPs have been associated with confirmed Cleo attacks.

    IoC Type

    IoC

    File Artifact

    Autorun\healthchecktemplate.txt

    File Artifact

    Autorun\healthcheck.txt

    File Artifact

    Main.xml

    File Artifact

    60282967-dc91-40ef-a34c-38e992509c2c.xml

    Attacker IP

    176.123.5.126

    Attacker IP

    5.149.249.226

    Attacker IP

    185.181.230.103

    Attacker IP

    209.127.12.38

    Attacker IP

    181.214.147.164

    Attacker IP

    192.119.99.42

    Huntress researchers have collected examples of these file artifacts and have reported that they contain encoded powershell commands. Additionally, there may be a .dbg log file under the logs directory (e.g. C:\LexiCom\logs) that you can review to identify if any suspicious files have been uploaded to the autorun directory. The Cleo autorun feature and directory appears to be a pivotal component of the exploit chain.

    If you suspect a Cleo instance has been compromised, you should immediately attempt to contain the incident and establish a scope. In some cases, it may be advisable to isolate the Cleo service, recover from a known-good backup, and apply the latest patches before bringing back online. It is also recommended to rotate any administrator or user account passwords local to any compromised devices.

    Cleo has also offered resources for response and mitigation (behind a login)

    Workarounds

    If you are unable to patch your Cleo instances in a timely manner, consider taking them offline until able to do so or at least disable any public internet access they may have. Additionally, a temporary workaround has been suggested by Huntress to limit the attack surface. They have stated that this workaround will stop execution, but, “will not prevent the arbitrary file-write vulnerability until a patch is released.” 

    When Will it be Fixed?

    Patches are available and have been released by Cleo

    • Cleo Harmony® (version 5.8.0.24 or higher)
    • Cleo VLTrader® (version 5.8.0.24 or higher)
    • Cleo LexiCom® (version 5.8.0.24 or higher)

    How Blumira Can Help

    Blumira’s security team actively monitors this issue, and looks for additional ways that we can detect any stage of exploitation of these vulnerabilities.

    Several detections and reports are available to our customers and would help reveal any possible exploitation of these vulnerabilities or post exploitation activity:

     Type

    Name

    Detection

        Potential Exploitation of Cleo CVE-2024-55956 - Autorun File Artifacts

     Detection

    Nltest Domain Enumeration

     Detection

    AdFind Domain Enumeration

     Detection

    Reconnaissance via Net Commands

     Detection

    PowerShell: Encoded Command Execution

     Detection (default disabled)

    PowerShell: Execution Policy Bypass

     Detection

    PowerShell: Download Invocation

     Report

    Windows: Potentially Malicious Powershell

    Jake Ouellette

    Jake is an Incident Detection Engineer at Blumira, where he contributes to research and design efforts to continuously improve the detection, analysis, and disruption capabilities of the Blumira platform.

    More from the blog

    View All Posts