Huntress discovered two arbitrary file upload vulnerabilities that can lead to remote code execution [CVE-2024-50623] and [CVE-2024-55956] in Cleo products. This affects their Harmony, VLTrader, and LexiCom products, which are used to secure file transfer.
- CVE-2024-50623 affects previously, fully patched versions 5.8.0.21 and prior.
- CVE-2024-55956 affects previously, fully patched versions 5.8.0.23 and prior.
The root cause of these vulnerabilities is an arbitrary file upload. The vulnerabilities allow for Remote Code Execution, potentially allowing attackers to run arbitrary code on the vulnerable asset.
See the resource center.
News
- There are multiple reports that these are being actively exploited with Proof-of-Concept code widely available.
- The official scoring is still emerging, but CISA-ADP rated this as CVSSv3.1 High (8.8). Bitsight analysis indicates that it may be higher given that the configuration for exploitation is enabled by default.
- CISA added this vulnerability to the KEV list on December 13, 2024.
Status
13-DEC-2024 – Investigation began, completed a PoC, and initiated a full scan so that vulnerability data surrounding CVE-2024-50623 can be ingested into Bitsight repositories.
Feedback
0 comments
Please sign in to leave a comment.