“Promptly upon discovering the vulnerability, Cleo launched an investigation with the help of outdoors cybersecurity consultants, notified clients of the problem and supplied directions on quick actions clients ought to take to handle the vulnerability,” a Cleo spokesperson instructed CSO through e-mail. “Cleo’s investigation is ongoing. Clients are inspired to verify Cleo’s safety bulletin webpage frequently for updates.”
Upon additional investigation, researchers from Rapid7 imagine CVE-2024-55956 is a separate vulnerability and never a bypass of the patch for CVE-2024-50623, as initially believed and reported by Huntress. The brand new flaw is an unauthenticated file write vulnerability, whereas the older one is an authenticated file learn and write flaw that requires credentials to take advantage of.
“The 2 vulnerabilities usually are not chained collectively to attain RCE; CVE-2024-55956 might be exploited by itself to attain unauthenticated RCE,” Stephen Fewer, principal safety researcher at Rapid7, instructed CSO through e-mail. “CVE-2024-55956 does happen in the same a part of the product code base because the CVE-2024-50623 and is reachable through the identical endpoint within the goal. Nevertheless, the exploitation technique differs significantly between the 2 vulnerabilities.”
Abusing the autorun function
Huntress believes one of many exploits is the file add vulnerability to drop a file known as healthchecktemplate.txt in a subdirectory known as autorun from the applying’s folder. Information current within the folder are robotically processed by the Cleo purposes.
