Cleo Releases Security Advisory for Harmony, VLTrader, and LexiCom
Exploitation in the wild reported for two vulnerabilities potentially leading to RCE
Summary
Exploitation in the wild reported for two vulnerabilities potentially leading to RCE
Affected platforms
The following platforms are known to be affected:
Threat details
Exploitation of CVE-2024-50623 and CVE-2024-55956
Exploitation of CVE-2024-50623 and CVE-2024-55956 has been reported in the wild.
Internet-facing file transfer applications have become a popular target for ransomware and data-extortion groups, and rapidly patching vulnerable software should be considered of critical importance. NHS England National CSOC has assessed a high likelihood that exploitation of this vulnerability will increase.
Introduction
Cleo has released a security advisory addressing two vulnerabilities in Cleo Harmony, Cleo VLTrader, and Cleo LexiCom, which are commonly used to manage file transfers.
- Cleo LexiCom is a desktop-based client solution for communication with major trading networks
- Cleo VLTrader is a server-level solution designed to meet the needs of mid-enterprise organisations
- Cleo Harmony is tailored for large enterprises
Cleo has described CVE-2024-50623 as an unrestricted file upload and download vulnerability. CVE-2024-55956 could allow an unauthenticated user to import and execute arbitrary bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory.
Extra security measures may be needed
Security researchers are claiming that the security update v5.8.0.21 does not mitigate the software flaw and strongly recommend moving any internet-exposed Cleo systems behind a firewall until a new patch is released.
The NHS England National CSOC advises that any affected organisations consider their exposure to these vulnerabilities, put in appropriate security controls, and update to v5.8.0.24.
Threat updates
| Date | Update |
|---|---|
| 18 Dec 2024 | CVE-2024-55956 added to CISA Known Exploited Vulnerabilities (KEV) |
| 16 Dec 2024 | CVE-2024-55956 has been assigned. This was previously referred to as 'unnamed vulnerability' or 'CVE Pending'. |
| 13 Dec 2024 |
New security update v5.8.0.24 released
Cleo strongly advises all customers to immediately upgrade instances of Harmony, VLTrader, and LexiCom to the latest released patch (version 5.8.0.24). |
| 12 Dec 2024 |
Change of description of unnamed vulnerability
|
Remediation advice
Affected organisations are encouraged to review the following advisories and update instances of Harmony, VLTrader, and LexiCom to the latest released security update, which is version 5.8.0.24. In addition, assess the security controls in place for these Cleo products and continue to monitor for new security update versions.
Remediation steps
| Type | Step |
|---|---|
| Patch |
Cleo Product Security Advisory - CVE-2024-55956 Advises to update to version 5.8.0.24. https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Update-CVE-2024-55956 |
| Aware |
Cleo Product Security Advisory - CVE-2024-50623 Advises to update to version 5.8.0.21. https://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory-CVE-2024-50623 |
Definitive source of threat updates
CVE Vulnerabilities
Last edited: 18 December 2024 1:15 pm