CVE-2024-55956 Critical Patch Available

CVE-2024-55956: Cleo MFT — Unrestricted File Upload to RCE

Vuln Brief Research Team · · CVSS 9.8

CVE Details

CVE ID CVE-2024-55956
CVSS Score 9.8
Severity Critical
Vendor Cleo
Product Harmony / VLTrader / LexiCom
Patch Status Available
Published April 8, 2026

Background

Cleo is a managed file transfer (MFT) software vendor whose products — Harmony, VLTrader, and LexiCom — are widely used in supply chain, logistics, and e-commerce sectors for B2B data exchange. Cleo’s MFT platform handles sensitive business transactions including purchase orders, invoices, shipping manifests, and EDI (Electronic Data Interchange) documents. Its role as a B2B data exchange hub makes it a strategically valuable target — similar to the GoAnywhere and MOVEit attacks that preceded it.

CVE-2024-55956 is a critical unrestricted file upload vulnerability disclosed in December 2024. It was exploited as a zero-day by the Clop ransomware group (the same group responsible for the GoAnywhere and MOVEit zero-day campaigns) before patches were available, following the group’s established pattern of targeting MFT platforms in coordinated mass exploitation campaigns.

Technical Mechanism

CVE-2024-55956 is an unrestricted file upload vulnerability in Cleo Harmony, VLTrader, and LexiCom’s autorun feature. These products include a file-based automation feature that watches specific directories for files and executes commands or processes them automatically when files are placed in those directories.

The vulnerability arises because:

  1. The autorun directory is accessible without authentication
  2. Files placed in the autorun directory are executed by the application

An attacker can upload malicious files to the autorun directory via a crafted HTTP request, and the Cleo application will process and execute those files:

# Step 1: Upload malicious file to unauthenticated autorun endpoint
PUT /Cleo/Harmony/inbox/../autorun/<malicious_file.xml> HTTP/1.1
Host: cleo.target.com
Content-Type: application/xml

<xml content that executes OS commands when processed>

The autorun feature processes XML-based workflow definitions. A malicious XML file can define a workflow step that executes arbitrary OS commands using Cleo’s built-in scripting capabilities (VBScript, Groovy, or Bash, depending on platform).

Combined with CVE-2024-50623 (an earlier path traversal in the same product line), the full attack chain provides unauthenticated access to the autorun directory and arbitrary command execution. The Cleo application runs as a Windows service with SYSTEM or high-privilege service account permissions on most deployments, providing elevated code execution.

Real-World Exploitation Evidence

The Clop ransomware group claimed responsibility for exploiting CVE-2024-55956 in a coordinated campaign beginning in December 2024:

  • Zero-day timing: Clop began exploitation before Cleo’s December 2024 advisory, following the same zero-day acquisition and coordinated mass exploitation pattern seen with GoAnywhere (2023) and MOVEit (2023).
  • Targeted sectors: Cleo’s customer base includes retail, manufacturing, logistics, and supply chain companies — sectors with high-value B2B transaction data. Clop’s initial targeting focused on these industries.
  • MALICHUS backdoor: Post-exploitation analysis revealed deployment of a Java-based backdoor (variously named MALICHUS or similar by threat intelligence vendors) that provided persistent access through Cleo’s Java runtime.
  • Data exfiltration focus: Consistent with Clop’s MFT campaign methodology, the focus was on mass data theft followed by extortion threats rather than ransomware encryption.
  • Rapid disclosure: Cleo issued its initial advisory rapidly but the initial “workaround” guidance was insufficient — a second advisory corrected remediation steps.

Impact Assessment

Cleo MFT platform compromise provides access to:

  • B2B transaction data: All files transferred through the platform — purchase orders, invoices, EDI documents, shipping data, financial records.
  • Trading partner connectivity: Cleo maintains connection profiles and credentials for all configured B2B trading partners; these credentials enable impersonation.
  • Internal network access: Cleo servers are often positioned with broad internal network access to receive and distribute files to backend systems.
  • Automated workflow execution: Cleo’s automation workflows often connect to databases, ERP systems, and other business-critical systems.
  • Customer data exposure: For service providers using Cleo for customer file exchange, customer data across multiple clients may be accessible.

Affected Versions

ProductAffected VersionsFixed Version
Cleo Harmony5.8.0.21 and prior5.8.0.24+
Cleo VLTrader5.8.0.21 and prior5.8.0.24+
Cleo LexiCom5.8.0.21 and prior5.8.0.24+

Remediation Steps

  1. Apply Cleo patches: Upgrade to version 5.8.0.24 or later. Download from the Cleo partner portal.

  2. Disable the autorun feature immediately (critical interim mitigation):

    • Navigate to Cleo’s administrative settings
    • Disable or restrict the autorun directory feature
    • Remove any unexpected files from the autorun directory

  3. Check for IOCs before patching:

    # Check autorun directory for unexpected files
dir "C:\Cleo\Harmony\autorun\" /a

# Check for unexpected JAR or XML files
dir /s /b "C:\Cleo\Harmony\" *.jar | findstr /v official

  4. Network isolation: Ensure the Cleo management interface is not internet-accessible. Implement firewall rules restricting access to internal networks.

  5. Review trading partner configurations: After patching, audit all configured trading partner connections for unauthorised changes.

  6. Audit Windows services: Verify no new Windows services were installed on the Cleo server during the exploitation window.

Detection Guidance

Log sources:

  • Cleo application logs in the installation directory
  • Windows Event Logs (Event ID 4688 for process creation, 7045 for service installation)
  • IIS/web server access logs if Cleo’s HTTP interface is proxied

Suspicious autorun activity:

# Check Windows Event Log for unexpected process creation
Get-WinEvent -LogName Security | Where-Object {$_.Id -eq 4688 -and $_.Message -like "*Harmony*"}

# Look for unexpected PowerShell or cmd.exe spawned from Cleo
Get-WinEvent -LogName Security | Where-Object {$_.Id -eq 4688 -and $_.Message -like "*cleoapp*"}

File system IOCs:

  • Unexpected .xml, .jar, or .groovy files in Cleo autorun directory
  • Modified files in Cleo application directory with recent timestamps

Suricata signature:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"Cleo MFT CVE-2024-55956 Autorun File Upload"; flow:established,to_server; http.method; content:"PUT"; http.uri; content:"autorun"; nocase; sid:9002559; rev:1;)

Timeline

DateEvent
~December 2024Clop begins zero-day exploitation
December 9, 2024Cleo publishes initial advisory
December 10, 2024CISA adds CVE-2024-55956 to KEV catalogue
December 11, 2024Huntress publishes detailed exploitation analysis
December 2024Mass exploitation continues; Cleo releases updated advisory with clearer remediation
January 2025Clop claims responsibility; victim extortion begins

Tags

cleoharmonyvltraderlexicomfile-uploadrcemanaged-file-transferclopcisa-kev

Related Analysis

CVE-2024-1708 Critical

CVE-2024-1708: ConnectWise ScreenConnect Path Traversal — RMM Tools as Attack Vectors

ConnectWise

CVE-2026-0300 Critical

CVE-2026-0300: Palo Alto PAN-OS Out-of-Bounds Write Leads to Root RCE on Firewalls

Palo Alto Networks

CVE-2026-20182 Critical

CVE-2026-20182: Cisco Catalyst SD-WAN Authentication Bypass — Unauthenticated Admin Access

Cisco