CVE-2024-55956

CVE-2024-55956 is a critical-severity vulnerability in Cleo Harmony with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-12-17). The underlying weakness is classified as CWE-77.

Key facts

Description

In Cleo Harmony before 5.8.0.24, VLTrader before 5.8.0.24, and LexiCom before 5.8.0.24, an unauthenticated user can import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory.

CVE-2024-55956: Cleo MFT Products Unauthenticated Remote Command Execution via Autorun Directory

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE ID CVE-2024-55956
CVSS v3.1 9.8 (Critical) — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS 0.93804 (99.8th percentile)
CISA KEV Yes — added 2024-12-17
EU Exploited Yes — since 2024-12-17
CWE CWE-77: Command Injection
Published 2024-12-13
Affected Products Cleo Harmony, VLTrader, LexiCom (< 5.8.0.24)

Summary

Cleo Harmony, VLTrader, and LexiCom before version 5.8.0.24 contain an unauthenticated remote command execution vulnerability. The products' default configuration exposes an Autorun directory that accepts incoming files and automatically executes associated scripts without authentication. An unauthenticated attacker can place malicious Bash or PowerShell payloads into this directory, achieving full host compromise with network-level access and no privileges required.

Background

Cleo provides managed file transfer (MFT) and B2B integration software widely used in enterprise supply chains, logistics, and healthcare to automate secure data exchange. The Autorun feature is intended to streamline post-processing workflows by automatically executing scripts when new files arrive. In affected versions, this Autorun endpoint is reachable by unauthenticated network users, transforming a convenience feature into a critical attack surface.

Root Cause

CWE-77: Command Injection — The vulnerability stems from improper neutralization of special elements used in a command. The Autorun directory processes incoming files and executes their associated command scripts without validating the sender's identity, the file's origin, or the script's content. This effectively allows any network-reachable actor to write a file that triggers arbitrary operating-system commands under the service account running the Cleo application.

Impact

The CVSS v3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects the full scope of the risk:

  • Confidentiality (High): The attacker can read any file accessible to the service account, including configuration files, credential stores, and transmitted data.
  • Integrity (High): The attacker can modify or delete data, implant backdoors, or alter integration mappings to silently redirect future transfers.
  • Availability (High): The attacker can terminate the application, delete critical binaries, or hold the system for ransom.

Because the attack requires no privileges or user interaction and is over the network, this vulnerability is trivially exploitable at scale.

Exploitation Walkthrough (Defensive Perspective)

Ethics caveat: The following description is intended for defenders, incident responders, and security architects to understand the attack chain and build effective detection. It does not provide a working exploit or step-by-step attacker playbook.

  1. Reconnaissance: The attacker identifies an exposed Cleo instance, typically on ports used for file transfer or management interfaces.
  2. Payload Delivery: The attacker uploads a file into the Autorun directory. The file may be a benign-looking data file with a companion script, or the file itself may contain embedded command directives that the Autorun handler parses.
  3. Trigger Execution: The Cleo engine automatically evaluates the file and executes the associated script using the host's Bash or PowerShell interpreter, depending on the platform.
  4. Post-Exploitation: With arbitrary code execution, the attacker can pivot laterally, exfiltrate data, or establish persistence mechanisms such as scheduled tasks or new service accounts.

Defensive value lies in monitoring the Autorun directory for unexpected file creation, restricting network access to known endpoints, and ensuring authentication is required for any file-ingestion path.

Affected and Patched Versions

Product Affected Patched
Cleo Harmony < 5.8.0.24 5.8.0.24
Cleo VLTrader < 5.8.0.24 5.8.0.24
Cleo LexiCom < 5.8.0.24 5.8.0.24

Remediation

  1. Upgrade immediately. Install Cleo version 5.8.0.24 or later for Harmony, VLTrader, and LexiCom. This is the only complete fix.
  2. Compensating controls (if upgrade is delayed):
    • Restrict network-level access to the Autorun ingestion path to a tightly controlled allow-list of known trading partners or internal systems.
    • Disable the Autorun feature entirely if it is not required for business operations.
    • Ensure the service account running Cleo operates with the principle of least privilege (not LocalSystem or root).
    • Implement file-integrity monitoring on the Autorun directory to alert on unexpected file arrivals.
  3. Post-remediation: Rotate any credentials stored in Cleo configuration files or accessible to the service account, as they may have been compromised during exploitation.

Detection

  • File-system monitoring: Alert on file creation events in the Autorun directory from non-standard processes or remote IP addresses.
  • Process creation: Monitor for child processes spawned by the Cleo application process (e.g., bash.exe, powershell.exe, cmd.exe, or unexpected Unix shells).
  • Network connections: Correlate inbound file-transfer sessions with subsequent outbound network connections from the Cleo service account, which may indicate data exfiltration or command-and-control activity.
  • EDR/XDR rules: Flag high-severity process chains where the Cleo application parent launches scripting interpreters with command-line arguments referencing the Autorun path.

Assessment

With an EPSS of 0.93804 and confirmed inclusion in CISA's Known Exploited Vulnerabilities catalog within four days of publication, this vulnerability is not merely theoretical—it is being actively exploited in the wild. The high EPSS percentile (99.8) indicates that the probability of in-the-wild exploitation is near-certainty. The primary lesson is that automation features such as Autorun must be architected with authentication and sandboxing as first-class requirements, not afterthoughts. A second lesson is the speed of weaponization: enterprises running exposed MFT infrastructure should treat patching and credential rotation as emergency-change events rather than routine maintenance.

References

Frequently asked questions

What is CVE-2024-55956?
In Cleo Harmony before 5.8.0.24, VLTrader before 5.8.0.24, and LexiCom before 5.8.0.24, an unauthenticated user can import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory.
How severe is CVE-2024-55956?
CVE-2024-55956 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2024-55956 being actively exploited?
Yes. CVE-2024-55956 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-12-17, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2024-55956?
CVE-2024-55956 primarily affects Cleo Harmony. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2024-55956?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2024-55956 have an EU (EUVD) identifier?
Yes. CVE-2024-55956 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-52864. It is also flagged as exploited in the EUVD (since 2024-12-17).
When was CVE-2024-55956 published?
CVE-2024-55956 was published on 2024-12-13 and last updated on 2026-06-17.

References

Affected products (3)

More vulnerabilities in Cleo Harmony

All CVEs affecting Cleo Harmony →

Other CWE-77 (Command Injection) vulnerabilities

Browse all CWE-77 (Command Injection) vulnerabilities →