CVE-2024-50623
CVE-2024-50623 is a critical-severity vulnerability in Cleo Harmony with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-12-13). The underlying weakness is classified as CWE-434.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- EPSS exploit prediction: 99% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2024-12-13)
- EU (EUVD) id: EUVD-2024-45217
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2024-12-13)
- Weakness: CWE-434
- Affected product: Cleo Harmony
- Published:
- Last modified:
Description
In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to remote code execution.
CVE-2024-50623: Cleo Unrestricted File Upload Leading to Remote Code Execution
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2024-50623 |
| CVSS 3.1 | 9.8 Critical |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Exploitability Score | 3.9 |
| Impact Score | 5.9 |
| EPSS | 0.98529 (99.915th percentile) |
| CWE | CWE-434 |
| KEV | Added 2024-12-13 |
| EUVD | EUVD-2024-45217 (exploited since 2024-12-13) |
Summary
Cleo Harmony, VLTrader, and LexiCom versions prior to 5.8.0.21 are affected by an unrestricted file upload and download vulnerability that can lead to remote code execution.
Background
Cleo Harmony, VLTrader, and LexiCom are enterprise software products from Cleo. The vulnerability exists in the file handling logic of affected versions.
Root Cause
The root cause is CWE-434: Unrestricted Upload of File with Dangerous Type. The application fails to adequately validate or restrict the types of files that can be uploaded or downloaded. This allows an attacker to introduce malicious files that the server may subsequently execute, leading to remote code execution.
Impact
The CVSS 3.1 vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, yielding a base score of 9.8 (Critical).
- Confidentiality: HIGH - total loss of confidentiality.
- Integrity: HIGH - total loss of integrity.
- Availability: HIGH - total loss of availability.
- Attack Vector: NETWORK - exploitable remotely.
- Attack Complexity: LOW - no special conditions required.
- Privileges Required: NONE - no authentication needed.
- User Interaction: NONE - no user action required.
Successful exploitation allows a remote attacker to execute arbitrary code with the privileges of the affected service.
Exploitation Walkthrough
Ethics Caveat: This section is provided for defensive awareness only. Do not attempt to exploit systems without explicit authorization.
A generic attack flow would involve:
- Discovery: An attacker identifies an exposed Cleo instance running an affected version prior to 5.8.0.21.
- Upload: The attacker sends a crafted request to an upload endpoint, submitting a file with a dangerous type that the application accepts without sufficient validation.
- Execution: If the upload path is accessible or the application otherwise processes the file, the attacker triggers execution via a subsequent request or automated processing.
- Post-Exploitation: With code execution achieved, the attacker may establish persistence, exfiltrate data, or pivot within the network.
Defenders should assume that any endpoint accepting file uploads in these products is a potential attack surface.
Affected and Patched Versions
| Product | Affected Versions |
|---|---|
| Cleo Harmony | Prior to 5.8.0.21 |
| VLTrader | Prior to 5.8.0.21 |
| LexiCom | Prior to 5.8.0.21 |
Organizations should upgrade to 5.8.0.21 or later.
Remediation
- Upgrade: Apply the vendor-provided patch by upgrading to version 5.8.0.21 or later.
- Network Segmentation: Restrict network access to Cleo interfaces to trusted hosts and segments.
- File Upload Controls: If available, enable strict file-type validation and restrict upload directories from being directly executable.
- File Integrity Monitoring: Monitor critical application directories for unauthorized file additions or modifications.
- Least Privilege: Ensure the application service accounts run with the minimum necessary privileges.
Detection
- Monitor application logs for unexpected file upload or download requests directed at Cleo endpoints.
- Alert on the presence of suspicious files in upload directories.
- Review outbound network connections initiated by Cleo service accounts for signs of post-exploitation activity.
- Enable process monitoring to detect unexpected child processes spawned by the application runtime.
Assessment
With an EPSS score of 0.98529 (99.915th percentile), this vulnerability is among the most likely to be exploited in the wild. Its inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog on 2024-12-13 and the EUVD (EUVD-2024-45217) exploited-since date of 2024-12-13 confirms active exploitation.
Key Lessons:
- File transfer endpoints are high-value targets. Because they routinely process untrusted files and sit at network boundaries, they attract attackers seeking remote code execution.
- Rapid weaponization demands rapid patching. The short interval between disclosure and KEV/EUVD listing indicates that threat actors moved quickly to weaponize this flaw. Patching velocity is the most critical control.
References
Frequently asked questions
- What is CVE-2024-50623?
- In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to remote code execution.
- How severe is CVE-2024-50623?
- CVE-2024-50623 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2024-50623 being actively exploited?
- Yes. CVE-2024-50623 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-12-13, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2024-50623?
- CVE-2024-50623 primarily affects Cleo Harmony. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2024-50623?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2024-50623 have an EU (EUVD) identifier?
- Yes. CVE-2024-50623 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-45217. It is also flagged as exploited in the EUVD (since 2024-12-13).
- When was CVE-2024-50623 published?
- CVE-2024-50623 was published on 2024-10-28 and last updated on 2026-06-17.
References
- https://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-50623
Affected products (3)
- cpe:2.3:a:cleo:harmony:*:*:*:*:*:*:*:*
- cpe:2.3:a:cleo:lexicom:*:*:*:*:*:*:*:*
- cpe:2.3:a:cleo:vltrader:*:*:*:*:*:*:*:*
More vulnerabilities in Cleo Harmony
- CVE-2024-55956 — Critical (CVSS 9.8): In Cleo Harmony before 5.8.0.24, VLTrader before 5.8.0.24, and LexiCom before 5.8.0.24, an unauthenticated user can…
All CVEs affecting Cleo Harmony →
Other CWE-434 (Unrestricted Upload of File with Dangerous Type) vulnerabilities
- CVE-2026-48283 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type…
- CVE-2026-48276 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type…
- CVE-2026-57700 — Critical (CVSS 10.0): Unrestricted Upload of File with Dangerous Type vulnerability in Daan.Dev OMGF Pro allows Using Malicious Files. This…
- CVE-2025-69129 — Critical (CVSS 10.0): Unauthenticated Arbitrary File Upload in WordPress & WooCommerce Scraper Plugin, Import Data from Any Site <= 1.0.7…
- CVE-2026-40772 — Critical (CVSS 10.0): Unauthenticated Arbitrary File Upload in GeekyBot <= 1.2.2 versions.
- CVE-2026-40412 — Critical (CVSS 10.0): Unrestricted upload of file with dangerous type in Azure Orbital Spatio allows an unauthorized attacker to execute code…
Browse all CWE-434 (Unrestricted Upload of File with Dangerous Type) vulnerabilities →