CVE-2024-50623
Cleo Multiple Products Unrestricted File Upload Vulnerability - [Actively Exploited]
Description
In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to remote code execution.
INFO
Published Date :
Oct. 28, 2024, 12:15 a.m.
Last Modified :
Dec. 23, 2024, 6:15 a.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
Cleo Harmony, VLTrader, and LexiCom, which are managed file transfer products, contain an unrestricted file upload and download vulnerability that can lead to remote code execution with elevated privileges.
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Update ; https://nvd.nist.gov/vuln/detail/CVE-2024-50623
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | [email protected] | ||||
| CVSS 3.1 | CRITICAL | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
Solution
- Upgrade to the latest version of Cleo Harmony, LexiCom, and VLTrader to version 5.8.0.21 or later.
- Review and verify file upload configurations.
Public PoC/Exploit Available at Github
CVE-2024-50623 has a 11 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2024-50623.
| URL | Resource |
|---|---|
| https://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory | Vendor Advisory |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2024-50623 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2024-50623
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
None
Python
None
HTML Python Shell
Proof of concept to use an arbitrary file write to achieve Remote Code Execution in Cleo Harmony, VLTrader, and LexiCom before 5.8.0.24.
Python
Cleo 远程代码执行漏洞批量检测脚本(CVE-2024-50623)
Python
一个备份全网最新POC并整合的项目🤔
CVE-2024-50623 POC - Cleo Unrestricted file upload and download
cleo file-upload lfi-exploitation rce-exploit cve-2024-50623
Shell
A collection of Vulnerability Research and Reverse Engineering writeups.
Cleo Unrestricted file upload and download PoC (CVE-2024-50623)
Python
Description of the recent (Dec 2024) attack against vltrader
CISA Bot is a GitHub bot that automatically monitors the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog. When new vulnerabilities are published in the KEV, the bot creates GitHub issues in this repository with detailed information about each vulnerability.
Python
Ostorlab KEV: One-command to detect most remotely known exploitable vulnerabilities. Sourced from CISA KEV, Google's Tsunami, Ostorlab's Asteroid and Bug Bounty programs.
cisa-kev vulnerability 0day cisa exploits
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2024-50623 vulnerability anywhere in the article.
-
Help Net Security
AI gives ransomware gangs a deadly upgrade
Ransomware continues to be the major threat to large and medium-sized businesses, with numerous ransomware gangs abusing AI for automation, according to Acronis. Ransomware gangs maintain pressure on ... Read more
-
Cyber Security News
213% Increase in Ransomware Attacks Targeting Organizations With First Quarter of 2025
The first quarter of 2025 has witnessed an unprecedented surge in ransomware attacks, with 2,314 victims listed across 74 unique data leak sites, representing a staggering 213% increase compared to th ... Read more
-
Daily CyberSecurity
Confucius Group Evolves: Researcher Uncovers New Modular Backdoor “Anondoor” in Latest Espionage Campaign
The Confucius APT group—long associated with cyber-espionage operations targeting government and military organizations in South and East Asia—has resurfaced with a newly upgraded attack chain. Resear ... Read more
-
Daily CyberSecurity
Urgent WordPress Alert: Motors Theme Flaw (CVE-2025-4322) Actively Exploited for Site Takeover
Last month, a critical vulnerability was reported to Wordfence that now threatens more than 22,000 WordPress websites using the popular Motors automotive dealership theme. Tracked as CVE-2025-4322 and ... Read more
-
Help Net Security
Hertz data breach: Customers in US, EU, UK, Australia and Canada affected
American car rental company Hertz has suffered a data breach linked to last year’s exploitation of Cleo zero-day vulnerabilities by a ransomware gang. The breach resulted in information of an unknown ... Read more
-
The Register
Where it Hertz: Customer data driven off in Cleo attacks
Car hire giant Hertz has confirmed that customer information was stolen during the zero-day data raids on Cleo file transfer products last year. A breach notification was issued on Monday on behalf of ... Read more
-
Help Net Security
RCE flaw in MSP-friendly file sharing platform exploited by attackers (CVE-2025-30406)
A critical RCE vulnerability (CVE-2025-30406) affecting the Gladinet CentreStack file-sharing/remote access platform has been added to CISA’s Known Exploited Vulnerabilities catalog on Tuesday. Accord ... Read more
-
BleepingComputer
Food giant WK Kellogg discloses data breach linked to Clop ransomware
US food giant WK Kellogg Co is warning employees and vendors that company data was stolen during the 2024 Cleo data theft attacks. Cleo software is a managed file transfer utility that was targeted by ... Read more
-
BleepingComputer
Retail giant Sam’s Club investigates Clop ransomware breach claims
Sam's Club, an American warehouse supermarket chain owned by U.S. retail giant Walmart, is investigating claims of a Clop ransomware breach. The Walmart division operates over 600 warehouse clubs wit ... Read more
-
Help Net Security
CrushFTP: Patch critical vulnerability ASAP! (CVE-2025-2825)
CrushFTP has fixed a critical vulnerability (CVE-2025-2825) in its enterprise file transfer solution that could be exploited by remote, unauthenticated attackers to access vulnerable internet-facing s ... Read more
-
The Register
Ransomware criminals love CISA's KEV list – and that's a bug, not a feature
Fresh research suggests attackers are actively monitoring databases of vulnerabilities that are known to be useful in carrying out ransomware attacks. GreyNoise's annual Mass Internet Exploitation Rep ... Read more
-
The Hacker News
Leaked Black Basta Chat Logs Reveal $107M Ransom Earnings and Internal Power Struggles
More than a year's worth of internal chat logs from a ransomware gang known as Black Basta have been published online in a leak that provides unprecedented visibility into their tactics and internal c ... Read more
-
Cyber Security News
CL0P Ransomware Attacking Telecommunications & Healthcare Sectors In Large Scale
The CL0P ransomware group has intensified attacks on critical infrastructure sectors, with telecommunications and healthcare organizations worldwide reporting mass data breaches and system encryption. ... Read more
-
security.nl
Centric meldt diefstal van privacygevoelige gegevens klant op testserver
It-bedrijf Centric heeft vandaag via de eigen website laten weten dat aanvallers 'een zeer beperkt aantal' privacygevoelige gegevens van één klant hebben gestolen die op een testserver stonden. De aan ... Read more
-
Cybersecurity News
CL-UNK-0979 Exploit Zero-Day Flaw in Ivanti Connect Secure to Gain Access to Networks
Palo Alto Networks has issued a detailed threat briefing on two critical vulnerabilities in Ivanti products—CVE-2025-0282 and CVE-2025-0283. The vulnerabilities affect Ivanti’s Connect Secure, Policy ... Read more
-
security.nl
Clop-groep claimt zestig slachtoffers via recente aanval op Cleo-software
De criminelen achter de Clop-ransomware claimen via de recente aanval op file sharing software van ontwikkelaar Cleo meer dan zestig slachtoffers te hebben gemaakt. Op de eigen 'Clop Leaks' website he ... Read more
-
Cybersecurity News
CVE-2024-40896 (CVSS 9.1): Critical XXE Vulnerability Discovered in libxml2
A newly discovered flaw in libxml2, a widely-used XML parsing library, could allow attackers to compromise systems and steal sensitive data.libxml2 is a robust XML parsing library written in C. Its ve ... Read more
-
BleepingComputer
Clop ransomware is now extorting 66 Cleo data-theft victims
The Clop ransomware gang started to extort victims of its Cleo data theft attacks and announced on its dark web portal that 66 companies have 48 hours to respond to the demands. The cybercriminals ann ... Read more
-
BleepingComputer
Clop ransomware threatens 66 Cleo attack victims with data leak
The Clop ransomware gang started to extort victims of its Cleo data theft attacks and announced on its dark web portal that 66 companies have 48 hours to respond to the demands. The cybercriminals ann ... Read more
-
Cybersecurity News
PoC Exploit Released for CVE-2024-30085: Windows Elevation of Privilege Vulnerability
Security researcher Alex Birnberg with SSD Secure Disclosure published the technical details and a proof-of-concept (PoC) exploit code for CVE-2024-30085 – a Windows Cloud Files Mini Filter Driver Ele ... Read more
The following table lists the changes that have been made to the
CVE-2024-50623 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Modified Analysis by [email protected]
Mar. 10, 2025
Action Type Old Value New Value -
CVE Modified by [email protected]
Dec. 23, 2024
Action Type Old Value New Value Added CWE CWE-434 -
Initial Analysis by [email protected]
Dec. 20, 2024
Action Type Old Value New Value Added CVSS V3.1 NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added CWE NIST CWE-434 Added CPE Configuration OR *cpe:2.3:a:cleo:harmony:*:*:*:*:*:*:*:* versions up to (excluding) 5.8.0.21 *cpe:2.3:a:cleo:lexicom:*:*:*:*:*:*:*:* versions up to (excluding) 5.8.0.21 *cpe:2.3:a:cleo:vltrader:*:*:*:*:*:*:*:* versions up to (excluding) 5.8.0.21 Changed Reference Type https://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory No Types Assigned https://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory Vendor Advisory -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Dec. 17, 2024
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Removed CVSS V3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H -
CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725
Dec. 14, 2024
Action Type Old Value New Value Added Date Added 2024-12-13 Added Due Date 2025-01-03 Added Required Action Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. Added Vulnerability Name Cleo Multiple Products Unrestricted File Upload Vulnerability -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Dec. 10, 2024
Action Type Old Value New Value Added CWE CWE-434 Removed CWE CWE-79 -
CVE Modified by [email protected]
Nov. 15, 2024
Action Type Old Value New Value Changed Description In Cleo Harmony before 5.8.0.20, VLTrader before 5.8.0.20, and LexiCom before 5.8.0.20, there is a JavaScript Injection vulnerability: unrestricted file upload and download could lead to remote code execution. In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to remote code execution. -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Oct. 30, 2024
Action Type Old Value New Value Added CWE CISA-ADP CWE-79 Added CVSS V3.1 CISA-ADP AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H -
CVE Modified by [email protected]
Oct. 28, 2024
Action Type Old Value New Value Changed Description In Cleo Harmony before 5.8.0.20, VLTrader before 5.8.0.20, and LexiCom before 5.8.0.20, there is a JavaScript Injection vulnerability. In Cleo Harmony before 5.8.0.20, VLTrader before 5.8.0.20, and LexiCom before 5.8.0.20, there is a JavaScript Injection vulnerability: unrestricted file upload and download could lead to remote code execution. -
CVE Received by [email protected]
Oct. 28, 2024
Action Type Old Value New Value Added Description In Cleo Harmony before 5.8.0.20, VLTrader before 5.8.0.20, and LexiCom before 5.8.0.20, there is a JavaScript Injection vulnerability. Added Reference MITRE https://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory [No types assigned]