December 10 Advisory: Unrestricted File Upload Vulnerability in Multiple Cleo File Transfer Products [CVE-2024-50623]

Date of Disclosure: December 9, 2024
Date Reported as Actively Exploited (source): December 9, 2024

CVE-2024-50623 is an unauthenticated remote code execution vulnerability that affects Cleo products Harmony, VLTrader, and LexiCom, used for managed file transfer. This CVE is still awaiting analysis in the NVD.

Censys Perspective

At the time of writing, Censys observed 1,342 exposed Cleo Harmony, VLTrader, and LexiCom instances online. A large proportion of these (79%) are geolocated in the United States. Censys observed about 13% of the exposed instances to be associated with Microsoft Azure (ASN 8075). Currently all instances observed are vulnerable pending a release patch from Cleo. 

Map of Exposed affected Cleo instances:

Censys Search Query:

services.http.response.headers: (key: "Server" and value.headers: {"Cleo Harmony/", "Cleo VLTrader/", "Cleo LexiCom/"})

Censys ASM Query:

host.services.http.response.headers: (key: "Server" and value.headers: {"Cleo Harmony/", "Cleo VLTrader/", "Cleo LexiCom/"})

Censys ASM Risk Query:

risks.name="Vulnerable Cleo Instance [CVE-2024-50623]"

References

• https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
• https://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory-CVE-2024-50623
• https://nvd.nist.gov/vuln/detail/CVE-2024-50623