December 10 Advisory: Unrestricted File Upload Vulnerability in Multiple Cleo File Transfer Products [CVE-2024-50623]

Field	Details
CVE-ID	CVE-2024-50623 – CVSS 8.8 (critical) – assigned by CISA ADP
Vulnerability Description	In Cleo Harmony, VLTrader, and LexiCom versions before and including 5.8.0.21, there is an unrestricted file upload and download that allows unauthenticated remote code execution.
Date of Disclosure	December 9, 2024
Affected Assets	The following Cleo products are affected: Cleo Harmony Cleo VLTrader Cleo LexiCom
Vulnerable Software Versions	Versions before and including 5.8.0.21.
PoC Available?	Huntress provided details about a proof of concept exploit in their blog.
Exploitation Status	While this vulnerability is not listed on CISA KEV, Huntress reported that this CVE was being exploited in the wild in their blog.
Patch Status	Cleo indicated that the vulnerability was fixed in version 5.8.0.21 of all three solutions, but according to Huntress, 5.8.0.21 remains vulnerable to exploitation. Cleo is preparing a new CVE designation and expects a new patch to be released mid-week.

Field

Details

CVE-ID

CVE-2024-50623 – CVSS 8.8 (critical) – assigned by CISA ADP

Vulnerability Description

In Cleo Harmony, VLTrader, and LexiCom versions before and including 5.8.0.21, there is an unrestricted file upload and download that allows unauthenticated remote code execution.

Date of Disclosure

December 9, 2024

Affected Assets

The following Cleo products are affected:

Cleo Harmony
Cleo VLTrader
Cleo LexiCom

Vulnerable Software Versions

Versions before and including 5.8.0.21.

PoC Available?

Huntress provided details about a proof of concept exploit in their blog.

Exploitation Status

While this vulnerability is not listed on CISA KEV, Huntress reported that this CVE was being exploited in the wild in their blog.

Patch Status

Cleo indicated that the vulnerability was fixed in version 5.8.0.21 of all three solutions, but according to Huntress, 5.8.0.21 remains vulnerable to exploitation. Cleo is preparing a new CVE designation and expects a new patch to be released mid-week.

Censys Perspective

At the time of writing, Censys observed 1,342 exposed Cleo Harmony, VLTrader, and LexiCom instances online. A large proportion of these (79%) are geolocated in the United States. Censys observed about 13% of the exposed instances to be associated with Microsoft Azure (ASN 8075). Currently all instances observed are vulnerable pending a release patch from Cleo.

Map of Exposed affected Cleo instances:

services.http.response.headers: (key: "Server" and value.headers: {"Cleo Harmony/", "Cleo VLTrader/", "Cleo LexiCom/"})

host.services.http.response.headers: (key: "Server" and value.headers: {"Cleo Harmony/", "Cleo VLTrader/", "Cleo LexiCom/"})

risks.name="Vulnerable Cleo Instance [CVE-2024-50623]"

US: +1-888-985-5547

Intl: +1-877-438-9159

connect@censys.com

December 10 Advisory: Unrestricted File Upload Vulnerability in Multiple Cleo File Transfer Products [CVE-2024-50623]

Censys Perspective

References

Subscribe to our newsletter

Subscribe to our newsletter