CVE-2024-50623

Published Oct 28, 2024

Last updated a month ago

Insights

Analysis from the Intruder Security Team

Published Dec 10, 2024

CVE-2024-50623 can be exploited by an unauthenticated attacker to gain remote code execution on affected Cleo servers. Widespread exploitation has been observed. The vendor's advisory page is available here.

John Hammond at Huntress has released a technical article regarding this vulnerability, including a list of IOC's from live attacks in the wild. Originally it was believed that this patch was insufficient in fixing this CVE, due to ongoing exploitation against patched hosts. However, it seems that there is a second unauthenticated remote code execution vulnerability which does not carry a CVE currently. Further details regarding this unknown CVE can be found here.

Overview

Description: In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to remote code execution.
Source: cve@mitre.org
NVD status: Modified

Risk scores

CVSS 3.1

Type: Primary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

Known exploits

Data from CISA

Vulnerability name: Cleo Multiple Products Unrestricted File Upload Vulnerability
Exploit added on: Dec 13, 2024
Exploit action due: Jan 3, 2025
Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Weaknesses

cve@mitre.org: CWE-434
nvd@nist.gov: CWE-434
134c704f-9b21-4f2e-91b3-4a467353bcc0: CWE-434

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:cleo:harmony:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "829892E7-DFA5-4153-A1B0-D2C64054ED9F",
            "versionEndExcluding": "5.8.0.21"
          },
          {
            "criteria": "cpe:2.3:a:cleo:lexicom:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "EA757293-8537-4DCE-BC91-E2D4A5CB08B3",
            "versionEndExcluding": "5.8.0.21"
          },
          {
            "criteria": "cpe:2.3:a:cleo:vltrader:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "01120D67-ED19-4B22-9484-A39715E02058",
            "versionEndExcluding": "5.8.0.21"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]