cbcvebase.
CVE-2024-55956
published 2024-12-13

CVE-2024-55956: In Cleo Harmony before 5.8.0.24, VLTrader before 5.8.0.24, and LexiCom before 5.8.0.24, an unauthenticated user can import and execute arbitrary Bash or…

PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2025-01-07
Exploited in the wild
EPSS
93.80%
99.8th percentile
In Cleo Harmony before 5.8.0.24, VLTrader before 5.8.0.24, and LexiCom before 5.8.0.24, an unauthenticated user can import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory.

Affected

3 ranges
VendorProductVersion rangeFixed in
cleoharmony< 5.8.0.245.8.0.24
cleolexicom< 5.8.0.245.8.0.24
cleovltrader< 5.8.0.245.8.0.24

Detection & IOCsextracted from sources · hover to see the quote

ip176.123.5.126
ip5.149.249.226
ip185.181.230.103
ip209.127.12.38
ip181.214.147.164
ip192.119.99.42
filename60282967-dc91-40ef-a34c-38e992509c2c.xml
filenamehealthchecktemplate.txt
filenamehealthcheck.txt
otherMalichus (JAVA backdoor)
otherFreemarker template (malicious server-side JavaScript)
processnltest.exe
sigma
Possible Cleo MFT Exploitation 2024
sigma
Javaw Spawning Suspicious PowerShell
  • Cleo software (LexiCom, VLTrader, Harmony) versions up to and including 5.8.0.21 are vulnerable; exploitation observed even on fully patched 5.8.0.21 systems
  • Monitor the Autorun directory (default: C:\LexiCom\autorun, C:\VLTrader\autorun, C:\Harmony\autorun) for unexpected files, especially healthchecktemplate.txt and healthcheck.txt
  • Look for javaw.exe spawning PowerShell processes as a child-parent relationship indicative of exploitation
  • Inspect LexiCom.xml and LexiCom.dbg log files for references to malicious autorun files being processed, including healthchecktemplate.txt and healthcheck.txt
  • Watch for outbound connections from Cleo software processes to external IPs to retrieve JAR files used for post-exploitation persistence
  • Attackers delete dropped JAR files post-execution to evade detection; look for file creation/deletion artifacts in Cleo install directories
  • Notable exploitation uptick observed on December 8 around 07:00 UTC; earliest evidence of exploitation dates to December 3, 2024
  • VLSync AS2 service path autorun/healthchecktemplate.txt seen in multipart request logs; monitor for this path in Cleo service logs
  • ·The CVE-2024-50623 patch (version 5.8.0.21) does NOT mitigate CVE-2024-55956; systems must be upgraded to 5.8.0.24 or later
  • ·Cleo software is commonly installed at the root of the filesystem (C:\LexiCom, C:\VLTrader, C:\Harmony) by default, increasing exposure surface

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.