CVE-2024-55956

nvd nist nuclei

Published: Dec 13, 2024Modified: Nov 4, 2025CISA KEV

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

In Cleo Harmony before 5.8.0.24, VLTrader before 5.8.0.24, and LexiCom before 5.8.0.24, an unauthenticated user can import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory.

Affected (3)

Products: Cleo: Harmony, Lexicom, Vltrader

3 products

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Cleo Harmony	Before 5.8.0.24
Cleo Lexicom	Before 5.8.0.24
Cleo Vltrader	Before 5.8.0.24

Related CWEs

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References (4)

https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Advisory-CVE-Pending

Source: cve@mitre.org

Vendor Advisory

https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Update

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-55956

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

US Government Resource

Timeline

No history available yet.