CVE-2024-50623
Published: 28 October 2024
Summary
CVE-2024-50623 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Cleo Harmony. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
Cleo Harmony, VLTrader, and LexiCom versions prior to 5.8.0.21 contain an unrestricted file upload and download flaw tracked as CVE-2024-50623. The issue stems from missing validation on file types and paths during transfer operations, allowing arbitrary files to be placed on or retrieved from the affected system and directly enabling remote code execution.
An unauthenticated attacker with network access can upload a malicious executable or script, then trigger its execution through the application or underlying operating system, achieving full control over the target host. The vulnerability carries a CVSS 3.1 score of 9.8, reflecting that no credentials or user interaction are required.
Cleo’s security advisory recommends immediate upgrade to version 5.8.0.21 or later for all three products. CISA has added the CVE to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild.
The associated EPSS score has reached a peak of 0.9694 with a current value of 0.9401, indicating sustained and widespread exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-45217
Vulnerability details
In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to remote code execution.
- CWE(s)
- KEV Date Added
- 13 December 2024
Related Threats
Threat-Actor AttributionAI
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks the unauthenticated file upload/download operations that enable arbitrary file placement and RCE.
Requires validation of all input files to reject malicious payloads before they can be stored or executed.
Deploys malicious-code scanning on uploaded content to stop or alert on weaponized files used for RCE.