Statement on CVE 2024-55956 Cleo Unauthenticated Malicious Hosts Vulnerability

December 23, 2024

Information

In Cleo Harmony before 5.8.0.24, VLTrader before 5.8.0.24, and LexiCom before 5.8.0.24, an unauthenticated user can import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory.

Risk

Not Applicable

Response

Melissa Data Corporation (“Melissa”) was not impacted by the Cleo vulnerability as Melissa does not utilize Cleo products for any Melissa commercial web services or products.

Melissa will continue to follow all guidance provided for this vulnerability as necessary to prevent any future risks.