External risk intelligence

Cleo Products: Unrestricted File Upload Risk

CVE advisoryKnown Exploit

CVE-2024-50623

Certain Cleo products are affected by an unrestricted file upload and download vulnerability. This could allow unauthorized code execution, leading to potential system compromise and data risk. This vulnerability has been observed in ransomware campaigns.

4Halo Surface Signal

Unrestricted File Upload

Cleo Harmony

before 5.8.0.21

External exposure likelihood

Halo Surface Signal score for CVE-2024-50623

The affected products (Cleo Harmony, VLTrader, and LexiCom) are managed file transfer solutions. These applications are commonly deployed as internet-facing gateways or edge services to facilitate the exchange of data between organizations, making them frequently reachable from the public internet.

Horizon Alert

Summary of the vulnerability and why it matters

Certain Cleo products contain a vulnerability that allows unrestricted file uploads and downloads. This flaw could enable attackers to execute malicious code on affected systems. The potential impact includes unauthorized access and control over business systems and data.

Vulnerable Cleo products
Unrestricted file upload/download
Remote code execution and system control

Attack Path

How an attacker could exploit the issue

This vulnerability allows an attacker to execute arbitrary code on a target system. The attack begins with an organization's exposure of specific Cleo products to the internet. An attacker can then leverage this network access to upload a malicious file. This action results in the attacker gaining control over the affected system.

External network exposure.
Attacker uploads malicious file.
Remote code execution achieved.

Live Threat

Current exploitation, exposure, and threat context

An unrestricted file upload and download vulnerability in Cleo Harmony, VLTrader, and LexiCom products could allow attackers to execute code remotely. This could impact systems by allowing unauthorized code execution, potentially leading to data compromise or denial of service. The exploitability of this vulnerability is considered high, posing a significant risk to organizations using the affected products.

Likely attacker skill level: No specific skill required.
Required access or conditions: Network access is sufficient.
Business risk or urgency: High risk, treat as urgent.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The organization's managed file transfer products, Cleo Harmony, VLTrader, and LexiCom, contain a critical vulnerability that could permit remote code execution. This vulnerability arises from an unrestricted file upload and download capability. The potential impact includes unauthorized code execution, which could compromise system integrity and data confidentiality. This issue has been observed in a known ransomware campaign, indicating active exploitation.

Find affected product assets.
Reduce exposure or isolate risk.
Fix, verify, and monitor.

Frequently asked questions

What are Cleo Harmony, VLTrader, and LexiCom, and what is their function?

Cleo Harmony, VLTrader, and LexiCom are managed file transfer solutions designed for securely exchanging data between different organizations.

What type of weakness does CVE-2024-50623 describe, and what is its classification?

CVE-2024-50623 describes an unrestricted file upload and download vulnerability, classified under CWE-434. This weakness permits unauthorized uploading and downloading of files.

How can an attacker exploit the unrestricted file upload/download flaw in Cleo products?

An attacker can exploit this vulnerability by uploading a malicious file through the affected Cleo products, leading to remote code execution and potential system control.

What is the relevance of the Halo Surface Signal score for this vulnerability?

The Halo Surface Signal score of 4 ('Likely') indicates that the affected Cleo products are commonly deployed as internet-facing services, making them readily accessible to attackers.

What actions should be taken to address the Cleo product vulnerability?

Organizations should identify affected Cleo product assets, reduce their exposure or isolate the risk, apply vendor-provided fixes, verify the remediation, and continue to monitor the systems.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.