Skip to main content

Exploitation in the wild reported for two vulnerabilities potentially leading to RCE

Threat ID:CC-4590
Threat Severity:Medium
Published:11 December 2024 4:57 PM

Summary

Exploitation in the wild reported for two vulnerabilities potentially leading to RCE

Affected platforms

The following platforms are known to be affected:

Versions: all prior to 5.8.0.24
Cleo Harmony
Versions: all prior to 5.8.0.24
Cleo VLTrader
Versions: all prior to 5.8.0.24
Cleo LexiCom

Threat details

Exploitation of CVE-2024-50623 and CVE-2024-55956

Exploitation of CVE-2024-50623 and CVE-2024-55956 has been reported in the wild. 

Internet-facing file transfer applications have become a popular target for ransomware and data-extortion groups, and rapidly patching vulnerable software should be considered of critical importance. NHS England National CSOC has assessed a high likelihood that exploitation of this vulnerability will increase.


Introduction

Cleo has released a security advisory addressing two vulnerabilities in Cleo Harmony, Cleo VLTrader, and Cleo LexiCom, which are commonly used to manage file transfers.

  • Cleo LexiCom is a desktop-based client solution for communication with major trading networks
  • Cleo VLTrader is a server-level solution designed to meet the needs of mid-enterprise organisations
  • Cleo Harmony is tailored for large enterprises

Cleo has described CVE-2024-50623 as an unrestricted file upload and download vulnerability. CVE-2024-55956 could allow an unauthenticated user to import and execute arbitrary bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory.


Extra security measures may be needed

Security researchers are claiming that the security update v5.8.0.21 does not mitigate the software flaw and strongly recommend moving any internet-exposed Cleo systems behind a firewall until a new patch is released.

The NHS England National CSOC advises that any affected organisations consider their exposure to these vulnerabilities, put in appropriate security controls, and update to v5.8.0.24.

Threat updates

   
18 Dec 2024 CVE-2024-55956 added to CISA Known Exploited Vulnerabilities (KEV)
16 Dec 2024 CVE-2024-55956 has been assigned. This was previously referred to as 'unnamed vulnerability' or 'CVE Pending'.
13 Dec 2024 New security update v5.8.0.24 released

 

Cleo strongly advises all customers to immediately upgrade instances of Harmony, VLTrader, and LexiCom to the latest released patch (version 5.8.0.24). 
12 Dec 2024 Change of description of unnamed vulnerability


The impact of the unnamed vulnerability has been changed to say that it 'could allow an unauthenticated user to import and execute arbitrary bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory.'

Remediation advice

Affected organisations are encouraged to review the following advisories and update instances of Harmony, VLTrader, and LexiCom to the latest released security update, which is version 5.8.0.24.  In addition, assess the security controls in place for these Cleo products and continue to monitor for new security update versions. 

Remediation steps

   
Patch

Cleo Product Security Advisory - CVE-2024-55956

Advises to update to version 5.8.0.24.


https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Update-CVE-2024-55956
Aware

Cleo Product Security Advisory - CVE-2024-50623

Advises to update to version 5.8.0.21.


https://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory-CVE-2024-50623

Definitive source of threat updates

CVE Vulnerabilities

StatusPublished
CVE-2024-55956In Cleo Harmony before 5.8.0.24, VLTrader before 5.8.0.24, and LexiCom before 5.8.0.24, an unauthenticated user can import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory.
StatusPublished
CVE-2024-50623In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to remote code execution.

Last edited: 18 December 2024 1:15 pm

Back to top