“Promptly upon discovering the vulnerability, Cleo launched an investigation with the help of exterior cybersecurity specialists, notified clients of the difficulty and supplied directions on fast actions clients ought to take to handle the vulnerability,” a Cleo spokesperson informed CSO through electronic mail. “Cleo’s investigation is ongoing. Clients are inspired to test Cleo’s safety bulletin webpage usually for updates.”
Upon additional investigation, researchers from Rapid7 consider CVE-2024-55956 is a separate vulnerability and never a bypass of the patch for CVE-2024-50623, as initially believed and reported by Huntress. The brand new flaw is an unauthenticated file write vulnerability, whereas the older one is an authenticated file learn and write flaw that requires credentials to take advantage of.
“The 2 vulnerabilities should not chained collectively to realize RCE; CVE-2024-55956 may be exploited by itself to realize unauthenticated RCE,” Stephen Fewer, principal safety researcher at Rapid7, informed CSO through electronic mail. “CVE-2024-55956 does happen in an identical a part of the product code base because the CVE-2024-50623 and is reachable through the identical endpoint within the goal. Nevertheless, the exploitation technique differs drastically between the 2 vulnerabilities.”
Abusing the autorun characteristic
Huntress believes one of many exploits is the file add vulnerability to drop a file known as healthchecktemplate.txt in a subdirectory known as autorun from the applying’s folder. Information current within the folder are robotically processed by the Cleo functions.