Date of Disclosure: December 9, 2024
Date Reported as Actively Exploited (source): December 9, 2024
CVE-2024-50623 is an unauthenticated remote code execution vulnerability that affects Cleo products Harmony, VLTrader, and LexiCom, used for managed file transfer. This CVE is still awaiting analysis in the NVD.
Field |
Details |
CVE-ID |
CVE-2024-50623 – CVSS 8.8 (critical) – assigned by CISA ADP |
Vulnerability Description |
In Cleo Harmony, VLTrader, and LexiCom versions before and including 5.8.0.21, there is an unrestricted file upload and download that allows unauthenticated remote code execution. |
Date of Disclosure |
December 9, 2024 |
Affected Assets |
The following Cleo products are affected:
- Cleo Harmony
- Cleo VLTrader
- Cleo LexiCom
|
Vulnerable Software Versions |
Versions before and including 5.8.0.21. |
PoC Available? |
Huntress provided details about a proof of concept exploit in their blog. |
Exploitation Status |
While this vulnerability is not listed on CISA KEV, Huntress reported that this CVE was being exploited in the wild in their blog. |
Patch Status |
Cleo indicated that the vulnerability was fixed in version 5.8.0.21 of all three solutions, but according to Huntress, 5.8.0.21 remains vulnerable to exploitation. Cleo is preparing a new CVE designation and expects a new patch to be released mid-week. |
Censys Perspective
At the time of writing, Censys observed 1,342 exposed Cleo Harmony, VLTrader, and LexiCom instances online. A large proportion of these (79%) are geolocated in the United States. Censys observed about 13% of the exposed instances to be associated with Microsoft Azure (ASN 8075). Currently all instances observed are vulnerable pending a release patch from Cleo.
Map of Exposed affected Cleo instances:
Censys Search Query:
services.http.response.headers: (key: "Server" and value.headers: {"Cleo Harmony/", "Cleo VLTrader/", "Cleo LexiCom/"})
Censys ASM Query:
host.services.http.response.headers: (key: "Server" and value.headers: {"Cleo Harmony/", "Cleo VLTrader/", "Cleo LexiCom/"})
Censys ASM Risk Query:
risks.name="Vulnerable Cleo Instance [CVE-2024-50623]"
References