CVE-2024-55956 | Attaxion

CISA Known Exploited Vulnerability (KEV)

Name

Cleo Multiple Products Unauthenticated File Upload Vulnerability

Exploit added

December 17, 2024

Action due

January 7, 2025

Action required

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

In Cleo Harmony before 5.8.0.24, VLTrader before 5.8.0.24, and LexiCom before 5.8.0.24, an unauthenticated user can import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory.

References

Weakness Enumeration

CWE-ID	CWE Name
CWE-77	Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
CWE-276	Incorrect Default Permissions

Known Affected Software Configurations

cpe:2.3:a:cleo:lexicom:5.6.1:::::::*
cpe:2.3:a:cleo:lexicom:5.6.2:::::::*
cpe:2.3:a:cleo:lexicom:5.6:::::::*
cpe:2.3:a:cleo:lexicom:5.7:::::::*
cpe:2.3:a:cleo:lexicom:5.5.0.0:::::::*

Details

Source:
NVD

Published:
December 13, 2024

Updated:
December 20, 2024

Risk information

CVSS v3

Base score:
9.8

Severity:

CRITICAL

Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

Not defined