CVE-2024-55956
NixOS vulnerability analysis and mitigation

Overview

CVE-2024-55956 affects Cleo Harmony, VLTrader, and LexiCom versions before 5.8.0.24. The vulnerability was discovered in early December 2024 and publicly disclosed on December 13, 2024. This critical vulnerability allows an unauthenticated user to import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical) (NVD, Huntress).

Technical details

The vulnerability exists in the default configuration of the Autorun directory functionality. Exploitation involves two HTTP POST requests that can achieve unauthenticated remote code execution. The attack leverages the software's Import functionality to process files from the Autorun directory, which are automatically executed and then deleted. The vulnerability has been observed being exploited through malicious files like healthchecktemplate.txt and healthcheck.txt placed in the autoruns subdirectory (Huntress).

Impact

Successful exploitation of this vulnerability allows attackers to achieve remote code execution with system-level privileges. The impact is particularly severe as it requires no authentication and affects systems in their default configuration. Attackers can execute arbitrary Bash or PowerShell commands, potentially leading to complete system compromise (NVD).

Mitigation and workarounds

Organizations should immediately update to version 5.8.0.24 or later. As a temporary mitigation, it is recommended to move any internet-exposed Cleo systems behind a firewall. Additionally, organizations can disable the Autorun feature by removing the contents of the Autorun Directory field in the system configuration options (Huntress).

Community reactions

The vulnerability has gained significant attention from the cybersecurity community due to its critical nature and active exploitation. CISA has added this vulnerability to their Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to patch by January 7, 2025. Multiple security firms, including Huntress and Rapid7, have published detailed analyses and warnings about the ongoing exploitation (NVD).

Additional resources


SourceThis report was generated using AI

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management