CVE-2024-50623
Cleo Multiple Products Unrestricted File Upload Vu - [Actively Exploited]
Description
In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to remote code execution.
INFO
Published Date :
Oct. 28, 2024, 12:15 a.m.
Last Modified :
Dec. 20, 2024, 3:04 p.m.
Source :
[email protected]
Remotely Exploitable :
Yes !
Impact Score :
5.9
Exploitability Score :
3.9
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
Cleo Harmony, VLTrader, and LexiCom, which are managed file transfer products, contain an unrestricted file upload and download vulnerability that can lead to remote code execution with elevated privileges.
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Update ; https://nvd.nist.gov/vuln/detail/CVE-2024-50623
Public PoC/Exploit Available at Github
CVE-2024-50623 has a 3 public PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2024-50623.
| URL | Resource |
|---|---|
| https://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory | Vendor Advisory |
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
A collection of Vulnerability Research and Reverse Engineering writeups.
Cleo Unrestricted file upload and download PoC (CVE-2024-50623)
Python
Description of the recent (Dec 2024) attack against vltrader
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2024-50623 vulnerability anywhere in the article.
-
TheCyberThrone
Clop ransomware exploits Cleo Vulnerability in its attacks
The Clop ransomware gang has recently claimed responsibility for a series of sophisticated data theft attacks targeting Cleo, a prominent provider of managed file transfer software. These attacks expl ... Read more
-
Cybersecurity News
Critical Windows and Adobe ColdFusion Vulnerabilities Actively Exploited in the Wild, PoC Exploit Published
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about two critical vulnerabilities being actively exploited by malicious actors. These flaws, impacting bo ... Read more
-
Cybersecurity News
CVE-2024-55875 (CVSS 9.8): Critical XXE Vulnerability Found in http4k Toolkit
A critical XML External Entity (XXE) Injection vulnerability, identified as CVE-2024-55875, has been discovered in the http4k toolkit, a lightweight HTTP framework written in Kotlin. With a CVSS score ... Read more
-
The Register
Ransomware scum blow holes in Cleo software patches, Cl0p (sort of) claims responsibility
Supply chain integration vendor Cleo has urged its customers to upgrade three of its products after an October security update was circumvented, leading to widespread ransomware attacks that Russia-li ... Read more
-
security.nl
Shadowserver: bijna duizend kwetsbare Cleo-servers op internet
Op internet zijn bijna duizend servers te vinden die kwetsbare file sharing software van Cleo draaien, waarvan het allergrootste deel in de Verenigde Staten, op afstand gevolgd door Canada. Dat meldt ... Read more
-
security.nl
Clop-ransomware claimt verantwoordelijkheid voor datadiefstal via Cleo-lek
De criminelen achter de Clop-ransomware, die vijf jaar geleden nog systemen van de Universiteit van Maastricht infecteerden, zeggen achter de aanvallen te zitten waarbij misbruik wordt gemaakt van een ... Read more
-
BleepingComputer
Clop ransomware claims responsibility for Cleo data theft attacks
12/16/24 update: Article updated to include new information about Cleo CVE-2024-50623 and CVE-2024-55956 flaws. The Clop ransomware gang has confirmed to BleepingComputer that they are behind the rece ... Read more
-
security.nl
VS bevestigt misbruik van kritiek Cleo-lek bij ransomware-aanvallen
Een kritieke kwetsbaarheid in de file sharing software van softwarebedrijf Cleo wordt gebruikt bij ransomware-aanvallen, zo heeft het Amerikaanse cyberagentschap CISA bevestigd. Eerder stelden beveili ... Read more
-
TheCyberThrone
CISA adds Cleo Vulnerability CVE-2024-50623 to KEV Catalog
The US CISA adds Cleo vulnerability to its Known Exploited Vulnerabilities Catalog based on the evidence of active exploitation reported.Security vendor Huntress was the first to publicize the attacks ... Read more
-
Cybersecurity News
Over 15,000 Sites at Risk: Woffice WordPress Theme Vulnerabilities Could Lead to Full Site Takeovers
Patchstack has disclosed two critical vulnerabilities in the widely used Woffice WordPress theme, a premium intranet/extranet solution with over 15,000 sales. Developed by Xtendify, the Woffice theme ... Read more
-
Dark Reading
Cleo MFT Zero-Day Exploits Are About to Escalate, Analysts Warn
Source: Allstar Picture Library Ltd. via Alamy Stock PhotoAn active ransomware campaign against the Cleo managed file transfer tool is about to ramp up now that a proof-of-concept exploit for a zero-d ... Read more
-
BleepingComputer
CISA confirms critical Cleo bug exploitation in ransomware attacks
CISA confirmed today that a critical security vulnerability in Cleo Harmony, VLTrader, and LexiCom file transfer software is being exploited in ransomware attacks. This flaw (tracked as CVE-2024-5062 ... Read more
-
TheCyberThrone
Gitlab fixes CVE-2024-11274 and CVE-2024-8233
GitLab has released a crucial security update to address multiple vulnerabilities impacting various versions of its platform. This update, applicable to versions 17.6.2, 17.5.4, and 17.4.6 for both Co ... Read more
-
Cybersecurity News
Modular Java Backdoor Emerges in Cleo Exploitation Campaign (CVE-2024-50623)
Rapid7 Labs and its Managed Detection and Response (MDR) team uncovered a sophisticated modular Java-based Remote Access Trojan (RAT) deployed in a multi-stage attack targeting Cleo file transfer soft ... Read more
-
BleepingComputer
Cleo patches critical zero-day exploited in data theft attacks
Cleo has released security updates for a zero-day flaw in its LexiCom, VLTransfer, and Harmony software, currently exploited in data theft attacks. In October, the company patched a pre-auth remote co ... Read more
-
Help Net Security
Cleo patches zero-day exploited by ransomware gang
Cleo has released a security patch to address the critical vulnerability that started getting exploited while still a zero-day to breach internet-facing Cleo Harmony, VLTrader, and LexiCom instances. ... Read more
-
Cybersecurity News
PoC Exploit Code Releases Cleo Zero-Day Vulnerability (CVE-2024-50623)
Organizations using Cleo file transfer software are urged to take immediate action as a critical vulnerability, CVE-2024-50623, is being actively exploited in the wild. This zero-day flaw affects Cleo ... Read more
-
Cybersecurity News
CVE-2024-11274: GitLab Vulnerability Exposes User Accounts
GitLab has issued an important security update addressing a range of vulnerabilities affecting multiple versions of its platform. The update, which includes versions 17.6.2, 17.5.4, and 17.4.6 for Com ... Read more
-
Cybersecurity News
Microsoft Addresses Critical Zero-Day CVE-2024-49138 & 72 Additional Flaws in December Patch Tuesday
Microsoft has released its December 2024 Patch Tuesday security update, addressing a total of 73 vulnerabilities across its product portfolio. This comprehensive update includes fixes for 16 critical ... Read more
-
Dark Reading
'Termite' Ransomware Likely Behind Cleo Zero-Day Attacks
Source: znakki via ShutteratockRansomware group "Termite" — which recently claimed supply chain vendor Blue Yonder as a victim — may be behind widespread exploit activity targeting a previously fixed ... Read more
-
The Hacker News
Cleo File Transfer Vulnerability Under Exploitation – Patch Pending, Mitigation Urged
Users of Cleo-managed file transfer software are being urged to ensure that their instances are not exposed to the internet following reports of mass exploitation of a vulnerability affecting fully pa ... Read more
-
BleepingComputer
New Cleo zero-day RCE flaw exploited in data theft attacks
Update added to bottom of the article. Hackers are actively exploiting a zero-day vulnerability in Cleo managed file transfer software to breach corporate networks and conduct data theft attacks. The ... Read more
-
The Register
Fully patched Cleo products under renewed 'zero-day-ish' mass attack
Researchers at security shop Huntress are seeing mass exploitation of a vulnerability affecting three Cleo file management products, even on patched systems. Cleo issued patches for CVE-2024-50623, an ... Read more
-
Help Net Security
Attackers actively exploiting flaw(s) in Cleo file transfer software (CVE-2024-50623)
Attackers are exploiting a vulnerability (CVE-2024-50623) in file transfer software by Cleo – LexiCo, VLTransfer, and Harmony – to gain access to organizations’ systems, Huntress researchers warned on ... Read more
-
security.nl
Grootschalig misbruik van kritiek lek in Cleo file transfer software gemeld
dinsdag 10 december 2024, 13:44 door Redactie, 2 reactiesLaatst bijgewerkt: 10-12-2024, 15:31 Aanvallers maken op grote schaal misbruik van een kritieke kwetsbaarheid in de file transfer software van ... Read more
-
Cybersecurity News
CVE-2024-50623: Critical Vulnerability in Cleo Software Actively Exploited in the Wild
Huntress Labs has raised the alarm over the active exploitation of a critical vulnerability (CVE-2024-50623) in Cleo’s Harmony, VLTrader, and LexiCom software, commonly used for managing file transfer ... Read more
-
Cybersecurity News
CVE-2024-54143: Critical Vulnerability in OpenWrt’s Attended SysUpgrade Server Allows for Firmware Poisoning
OpenWrt, a popular open-source operating system for embedded devices, has disclosed a critical vulnerability (CVE-2024-54143) that could allow attackers to compromise the integrity of firmware updates ... Read more
-
Cybersecurity News
CVE-2024-55579 & CVE-2024-55580: Qlik Sense Users Face Serious Security Risk
Qlik, a leading provider of business intelligence and data analytics platforms, has disclosed two vulnerabilities affecting Qlik Sense Enterprise for Windows. These vulnerabilities, identified as CVE- ... Read more
-
huntress.com
Cleo Software Actively Being Exploited in the Wild CVE-2024-55956 | Huntress
CVE-2024-55956 SummaryOn December 3, Huntress identified an emerging threat involving Cleo’s LexiCom, VLTransfer, and Harmony software, commonly used to manage file transfers. We’ve directly observed ... Read more
-
Darktrace
Phishing Attacks Surge Over 600% in the Buildup to Black Friday
Introduction: Nation state attacks on supply chainsIn recent years, supply chain attacks have surged in both frequency and sophistication, evolving into one of the most severe threats to organizations ... Read more
-
Cybersecurity News
Microsoft Emphasizes TPM 2.0 as a “Necessity” for Secure Windows 11 Deployment
In a recent blog post, Microsoft reiterated the importance of Trusted Platform Module (TPM) 2.0 for Windows 11 security, calling it a “necessity” for a secure and future-proof Windows 11 environment. ... Read more
-
Cybersecurity News
Threat Actors Exploiting Misconfigured Docker Remote API Servers with Gafgyt Malware
Trend Micro Research has revealed a significant evolution in the behavior of the Gafgyt malware (also known as Bashlite or Lizkebab), which is now targeting misconfigured Docker Remote API servers. Th ... Read more
The following table lists the changes that have been made to the
CVE-2024-50623 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Dec. 20, 2024
Action Type Old Value New Value Added CVSS V3.1 NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added CWE NIST CWE-434 Added CPE Configuration OR *cpe:2.3:a:cleo:harmony:*:*:*:*:*:*:*:* versions up to (excluding) 5.8.0.21 *cpe:2.3:a:cleo:lexicom:*:*:*:*:*:*:*:* versions up to (excluding) 5.8.0.21 *cpe:2.3:a:cleo:vltrader:*:*:*:*:*:*:*:* versions up to (excluding) 5.8.0.21 Changed Reference Type https://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory No Types Assigned https://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory Vendor Advisory -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Dec. 17, 2024
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Removed CVSS V3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H -
CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725
Dec. 14, 2024
Action Type Old Value New Value Added Date Added 2024-12-13 Added Due Date 2025-01-03 Added Required Action Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. Added Vulnerability Name Cleo Multiple Products Unrestricted File Upload Vulnerability -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Dec. 10, 2024
Action Type Old Value New Value Added CWE CWE-434 Removed CWE CWE-79 -
CVE Modified by [email protected]
Nov. 15, 2024
Action Type Old Value New Value Changed Description In Cleo Harmony before 5.8.0.20, VLTrader before 5.8.0.20, and LexiCom before 5.8.0.20, there is a JavaScript Injection vulnerability: unrestricted file upload and download could lead to remote code execution. In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to remote code execution. -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Oct. 30, 2024
Action Type Old Value New Value Added CWE CISA-ADP CWE-79 Added CVSS V3.1 CISA-ADP AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H -
CVE Modified by [email protected]
Oct. 28, 2024
Action Type Old Value New Value Changed Description In Cleo Harmony before 5.8.0.20, VLTrader before 5.8.0.20, and LexiCom before 5.8.0.20, there is a JavaScript Injection vulnerability. In Cleo Harmony before 5.8.0.20, VLTrader before 5.8.0.20, and LexiCom before 5.8.0.20, there is a JavaScript Injection vulnerability: unrestricted file upload and download could lead to remote code execution. -
CVE Received by [email protected]
Oct. 28, 2024
Action Type Old Value New Value Added Description In Cleo Harmony before 5.8.0.20, VLTrader before 5.8.0.20, and LexiCom before 5.8.0.20, there is a JavaScript Injection vulnerability. Added Reference MITRE https://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory [No types assigned]
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2024-50623 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2024-50623
weaknesses.