CVE-2024-50623
published 2024-10-28CVE-2024-50623: In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to…
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2025-01-03
Exploited in the wild
EPSS
98.53%
99.9th percentile
In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to remote code execution.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cleo | harmony | < 5.8.0.21 | 5.8.0.21 |
| cleo | lexicom | < 5.8.0.21 | 5.8.0.21 |
| cleo | vltrader | < 5.8.0.21 | 5.8.0.21 |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
Possible Cleo MFT Exploitation 2024
sigma↗
Javaw Spawning Suspicious PowerShell
- →Look for javaw.exe spawning PowerShell processes — this is the key parent-child relationship indicating Cleo exploitation via the Autorun feature. ↗
- →Monitor the Autorun directory (e.g., C:\LexiCom\autorun\, C:\VLTrader\autorun\, C:\Harmony\autorun\) for unexpected files, especially .txt files like healthcheck.txt or healthchecktemplate.txt. ↗
- →Check LexiCom.xml and LexiCom.dbg log files for references to malicious autorun files being processed, including paths like autorun/healthchecktemplate.txt. ↗
- →Attackers deploy encoded JAR files for post-exploitation that reach out to external IPs; monitor for outbound connections from javaw.exe to the listed callback IPs. ↗
- →Attackers delete JAR files post-execution to evade detection; look for file creation/deletion events of .jar files in Cleo installation directories. ↗
- →The Malichus backdoor was delivered as a malicious Freemarker template containing server-side JavaScript; hunt for unexpected .ftl or template files in Cleo installation directories. ↗
- →Attackers abuse the default Autorun folder to import and execute arbitrary bash or PowerShell commands; alert on any process execution originating from the Autorun directory path. ↗
- ·Fully patched systems running version 5.8.0.21 remain exploitable; the October patch for CVE-2024-50623 does NOT fully mitigate the vulnerability. Upgrade to 5.8.0.24 is required. ↗
- ·Disabling the Autorun feature (clearing the Autorun Directory field in System Options) reduces attack surface but does NOT block all incoming attacks. ↗
- ·Malichus malware was only observed deployed on Windows devices in the wild, despite also having Linux support — detection efforts should prioritize Windows hosts. ↗
- ·After applying the 5.8.0.24 patch, Cleo software logs errors and removes files related to the exploit found at startup — review startup logs post-patching to identify prior compromise. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8j74-v9cr-x39h: In Cleo Harmony before 5
ghsa_unreviewed·2024-10-28
CVE-2024-50623 [HIGH] CWE-434 GHSA-8j74-v9cr-x39h: In Cleo Harmony before 5
In Cleo Harmony before 5.8.0.20, VLTrader before 5.8.0.20, and LexiCom before 5.8.0.20, there is a JavaScript Injection vulnerability.
VulnCheck
Cleo Multiple Products Unauthenticated File Upload Vulnerability
vulncheck·2024·CVSS 9.8
CVE-2024-55956 [CRITICAL] CWE-276 Cleo Multiple Products Unauthenticated File Upload Vulnerability
Cleo Multiple Products Unauthenticated File Upload Vulnerability
Cleo Harmony, VLTrader, and LexiCom, which are managed file transfer products, contain an unrestricted file upload vulnerability that could allow an unauthenticated user to import and execute arbitrary bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory.
Affected: Cleo Multiple Products
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://cyberplace.social/@GossiTheDog/113628339890303857; https://www.rapid7.com/blog/post/2024/12/10/etr-widespread-exploitation-of-cleo-file-transfer-software-cve-2024-50623/; https://threats.wiz.i
VulnCheck
Cleo Multiple Products Unrestricted File Upload Vulnerability
vulncheck·2024·CVSS 9.8
CVE-2024-50623 [CRITICAL] CWE-434 Cleo Multiple Products Unrestricted File Upload Vulnerability
Cleo Multiple Products Unrestricted File Upload Vulnerability
Cleo Harmony, VLTrader, and LexiCom, which are managed file transfer products, contain an unrestricted file upload and download vulnerability that can lead to remote code execution with elevated privileges.
Affected: Cleo Multiple Products
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild; https://cyberplace.social/@GossiTheDog/113628339890303857; https://www.rapid7.com/blog/post/2024/12/10/etr-widespread-exploitation-of-cleo-file-transfer-software-cve-2024-50623/; https://infosec.ex
CISA
Cleo Multiple Products Unrestricted File Upload Vulnerability
cisa·2024-12-13·CVSS 9.8
CVE-2024-50623 [CRITICAL] CWE-434 Cleo Multiple Products Unrestricted File Upload Vulnerability
Vulnerability: Cleo Multiple Products Unrestricted File Upload Vulnerability
Affected: Cleo Multiple Products
Cleo Harmony, VLTrader, and LexiCom, which are managed file transfer products, contain an unrestricted file upload and download vulnerability that can lead to remote code execution with elevated privileges.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Update ; https://nvd.nist.gov/vuln/detail/CVE-2024-50623
Remediation Due Date: 2025-01-03
Suricata
ET WEB_SPECIFIC_APPS Cleo MFT Arbitrary File Write (CVE-2024-50623)
suricata·2024-12-11·CVSS 9.8
CVE-2024-50623 [CRITICAL] ET WEB_SPECIFIC_APPS Cleo MFT Arbitrary File Write (CVE-2024-50623)
ET WEB_SPECIFIC_APPS Cleo MFT Arbitrary File Write (CVE-2024-50623)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cleo MFT Arbitrary File Write (CVE-2024-50623)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Synchronization"; http.header; to_lowercase; content:"vlsync|3a 20|add|3b|"; fast_pattern; content:"path|3d|"; distance:0; pcre:"/^[^\x0d\x0a\x3b]*[\x2f\x5c]/R"; reference:url,labs.watchtowr.com/cleo-cve-2024-50623/; reference:cve,2024-50623; classtype:web-application-attack; sid:2058190; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2024_12_11, cve CVE_2024_50623, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag CISA_KE
Suricata
ET WEB_SPECIFIC_APPS Cleo MFT Arbitrary File Read (CVE-2024-50623)
suricata·2024-12-11·CVSS 9.8
CVE-2024-50623 [CRITICAL] ET WEB_SPECIFIC_APPS Cleo MFT Arbitrary File Read (CVE-2024-50623)
ET WEB_SPECIFIC_APPS Cleo MFT Arbitrary File Read (CVE-2024-50623)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cleo MFT Arbitrary File Read (CVE-2024-50623)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Synchronization"; http.header; to_lowercase; content:"vlsync|3a 20|retrieve|3b|"; fast_pattern; content:"v|3d|"; content:"path|3d|"; pcre:"/^[^\x0d\x0a\x3b]*[\x2f\x5c]/R"; reference:url,labs.watchtowr.com/cleo-cve-2024-50623/; reference:cve,2024-50623; classtype:web-application-attack; sid:2058191; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2024_12_11, cve CVE_2024_50623, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag
Nuclei
Cleo Harmony < 5.8.0.21 - Arbitary File Read
nuclei·CVSS 9.8
CVE-2024-50623 [CRITICAL] Cleo Harmony < 5.8.0.21 - Arbitary File Read
Cleo Harmony < 5.8.0.21 - Arbitary File Read
In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to remote code execution.
Template:
id: CVE-2024-50623
info:
name: Cleo Harmony < 5.8.0.21 - Arbitary File Read
author: DhiyaneshDK
severity: high
description: |
In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to remote code execution.
impact: |
Attackers can exploit vulnerabilities to compromise the system.
remediation: |
Update to the latest patched version addressing CVE-2024-50623.
reference:
- https://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory
Bleepingcomputer
Logitech confirms data breach after Clop extortion attack
blogs_bleepingcomputer·2025-11-14
Logitech confirms data breach after Clop extortion attack
## Logitech confirms data breach after Clop extortion attack
## Lawrence Abrams
Hardware accessory giant Logitech has confirmed it suffered a data breach in a cyberattack claimed by the Clop extortion gang, which conducted Oracle E-Business Suite data theft attacks in July.
Logitech International S.A. is a Swiss multinational electronics company that sells hardware and software solutions, including computer peripherals, gaming, video collaboration, music, and smart home products.
Today, Logitech filed a Form 8-K with the U.S. Securities and Exchange Commission, confirming that data was stolen in a breach.
"Logitech International S.A. ("Logitech") recently experienced a cybersecurity incident relating to the exfiltration of data. The cybersecurity incident has not impacted Logitech's p
Bleepingcomputer
American Airlines subsidiary Envoy confirms Oracle data theft attack
blogs_bleepingcomputer·2025-10-17·CVSS 9.8
[CRITICAL] American Airlines subsidiary Envoy confirms Oracle data theft attack
## American Airlines subsidiary Envoy confirms Oracle data theft attack
## Lawrence Abrams
Envoy Air, a regional airline carrier owned by American Airlines, confirms that data was compromised from its Oracle E-Business Suite application after the Clop extortion gang listed American Airlines on its data leak site.
"We are aware of the incident involving Envoy's Oracle E-Business Suite application," Envoy Air told BleepingComputer.
"Upon learning of the matter, we immediately began an investigation and law enforcement was contacted. We have conducted a thorough review of the data at issue and have confirmed no sensitive or customer data was affected. A limited amount of business information and commercial contact details may have been compromised."
Envoy Air is a subsidiary of American
Bleepingcomputer
Harvard investigating breach linked to Oracle zero-day exploit
blogs_bleepingcomputer·2025-10-13·CVSS 9.8
[CRITICAL] Harvard investigating breach linked to Oracle zero-day exploit
## Harvard investigating breach linked to Oracle zero-day exploit
## Lawrence Abrams
Harvard University is investigating a data breach after the Clop ransomware gang listed the school on its data leak site, saying the alleged breach was likely caused by a recently disclosed zero-day vulnerability in Oracle's E-Business Suite servers.
"Harvard is aware of reports that data associated with the University has been obtained as a result of a zero-day vulnerability in the Oracle E-Business Suite system. This issue has impacted many Oracle E-Business Suite customers and is not specific to Harvard," a Harvard University Information Technology spokesperson told BleepingComputer.
"While the investigation is ongoing, we believe that this incident impacts a limited number of parties associated wit
Bleepingcomputer
Clop exploited Oracle zero-day for data theft since early August
blogs_bleepingcomputer·2025-10-07·CVSS 9.8
CVE-2025-61882 [CRITICAL] Clop exploited Oracle zero-day for data theft since early August
## Clop exploited Oracle zero-day for data theft since early August
## Sergiu Gatlan
The Clop ransomware gang has been exploiting a critical Oracle E-Business Suite (EBS) zero-day bug in data theft attacks since at least early August, according to cybersecurity company CrowdStrike.
Tracked as CVE-2025-61882 and patched by Oracle over the weekend , this vulnerability was discovered in the BI Publisher Integration component of Oracle EBS's Concurrent Processing component, allowing unauthenticated attackers to gain remote code execution on unpatched systems in low-complexity attacks that don't require user interaction.
However, as watchTowr Labs security researchers found while reverse-engineering a proof-of-concept (PoC) exploit leaked online by the Scattered Lapsus$ Hunters cybercrime g
Bleepingcomputer
Oracle patches EBS zero-day exploited in Clop data theft attacks
blogs_bleepingcomputer·2025-10-05·CVSS 9.8
CVE-2025-61882 [CRITICAL] Oracle patches EBS zero-day exploited in Clop data theft attacks
## Oracle patches EBS zero-day exploited in Clop data theft attacks
## Lawrence Abrams
Update 10/6/25 11:15 AM ET: Updated story with more information on the leaked Oracle source code and the leaking of the exploit.
Oracle is warning about a critical E-Business Suite zero-day vulnerability tracked as CVE-2025-61882 that allows attackers to perform unauthenticated remote code execution, with the flaw actively exploited in Clop data theft attacks.
The flaw is within the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration) and has a CVSS base score of 9.8, due to its lack of authentication and ease of exploitation.
"This Security Alert addresses vulnerability CVE-2025-61882 in Oracle E-Business Suite," reads a new Oracle advisory.
"This v
Bleepingcomputer
Oracle links Clop extortion attacks to July 2025 vulnerabilities
blogs_bleepingcomputer·2025-10-03·CVSS 6.1
[MEDIUM] Oracle links Clop extortion attacks to July 2025 vulnerabilities
## Oracle links Clop extortion attacks to July 2025 vulnerabilities
## Sergiu Gatlan
Oracle has linked an ongoing extortion campaign claimed by the Clop ransomware gang to E-Business Suite (EBS) vulnerabilities that were patched in July 2025.
While the company has yet to attribute the attack to this ransomware operation, Rob Duhart, the Chief Security Officer of Oracle, confirmed that customers had received extortion emails from the gang.
Duhart also urged Oracle customers to update their software and advised those requiring further assistance to contact the Oracle support team.
"Oracle is aware that some Oracle E-Business Suite (EBS) customers have received extortion emails, Duhart said in a Thursday statement . "Our ongoing investigation has found the potential use of previously ide
Bleepingcomputer
Clop extortion emails claim theft of Oracle E-Business Suite data
blogs_bleepingcomputer·2025-10-01
Clop extortion emails claim theft of Oracle E-Business Suite data
## Clop extortion emails claim theft of Oracle E-Business Suite data
## Lawrence Abrams
Mandiant and Google are tracking a new extortion campaign where executives at multiple companies received emails claiming that sensitive data was stolen from their Oracle E-Business Suite systems.
According to Genevieve Stark, Head of Cybercrime and Information Operations Intelligence Analysis at GTIG, the campaign began in late September.
"This activity began on or before September 29, 2025, but Mandiant's experts are still in the early stages of multiple investigations, and have not yet substantiated the claims made by this group," Stark said.
Charles Carmakal, CTO of Mandiant – Google Cloud, stated that the extortion emails are being sent from a large number of compromised email accounts.
"We a
Checkpoint
14th April – Threat Intelligence Report
blogs_checkpoint·2025-04-14
CVE-2024-50623 14th April – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 14th April – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 14th April, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
The United States Office of the Comptroller of the Currency (OCC), an independent bureau of the Department of the Treasury, has suffered a significant security breach. Threat actors have gained access to the bureau’s email messages for a period of a year and a half. According to the agency’s disclosure, the messages included
Bleepingcomputer
Food giant WK Kellogg discloses data breach linked to Clop ransomware
blogs_bleepingcomputer·2025-04-07·CVSS 9.8
CVE-2024-50623 [CRITICAL] Food giant WK Kellogg discloses data breach linked to Clop ransomware
## Food giant WK Kellogg discloses data breach linked to Clop ransomware
## Bill Toulas
US food giant WK Kellogg Co is warning employees and vendors that company data was stolen during the 2024 Cleo data theft attacks.
Cleo software is a managed file transfer utility that was targeted by the Clop ransomware gang en masse at the end of last year. This attack leveraged two zero-day flaws tracked as CVE-2024-50623 and CVE-2024-55956, allowing the threat actors to breach servers and steal data.
"WK Kellogg learned on February 27, 2025, that a security incident may have occurred involving Cleo," reads the notice .
"WK Kellogg immediately began to investigate. We contacted Cleo, and Cleo informed us that an unauthorized person gained access on December 7, 2024, to the servers Cleo hosted fo
Bleepingcomputer
Retail giant Sam’s Club investigates Clop ransomware breach claims
blogs_bleepingcomputer·2025-03-28·CVSS 9.8
[CRITICAL] Retail giant Sam’s Club investigates Clop ransomware breach claims
## Retail giant Sam’s Club investigates Clop ransomware breach claims
## Sergiu Gatlan
Sam's Club, an American warehouse supermarket chain owned by U.S. retail giant Walmart, is investigating claims of a Clop ransomware breach.
The Walmart division operates over 600 warehouse clubs with millions of members across the United States and Puerto Rico and almost 200 additional locations in Mexico and China.
Sam's Club has over 2.3 million employees and reported a total revenue of $84.3 billion for the fiscal year ending January 31, 2023.
"We are aware of reports regarding a potential security incident and are actively investigating the matter," a Sam's Club spokesperson told BleepingComputer. "Protecting the privacy and security of our members' information is a top priority at Sam's Club.
Bleepingcomputer
Western Alliance Bank notifies 21,899 customers of data breach
blogs_bleepingcomputer·2025-03-18
Western Alliance Bank notifies 21,899 customers of data breach
## Western Alliance Bank notifies 21,899 customers of data breach
## Sergiu Gatlan
Arizona-based Western Alliance Bank is notifying nearly 22,000 customers their personal information was stolen in October after a third-party vendor's secure file transfer software was breached.
Western Alliance is a wholly owned subsidiary of Western Alliance Bancorporation, a leading U.S. banking company with over $80 billion in assets.
The bank first revealed in a February SEC filing that the attackers exploited a zero-day vulnerability in the third-party software (disclosed by the vendor on October 27, 2024) to hack a limited number of Western Alliance systems and exfiltrate files stored on the compromised devices.
Western Alliance found that customer data was exfiltrated from its network only after
Huntress
Cleo Software Actively Being Exploited in the Wild CVE-2024-55956 | Huntress
blogs_huntress·2025-01-06·CVSS 9.8
CVE-2024-55956 [CRITICAL] Cleo Software Actively Being Exploited in the Wild CVE-2024-55956 | Huntress
## CVE-2024-55956 Summary
On December 3, Huntress identified an emerging threat involving Cleo’s LexiCom, VLTransfer, and Harmony software, commonly used to manage file transfers. We’ve directly observed evidence of threat actors exploiting this software en masse and performing post-exploitation activity. Although Cleo published an update and advisory for CVE-2024-50623 —which allows unauthenticated remote code execution—Huntress security researchers have recreated the proof of concept and learned the patch does not mitigate the software flaw.
TL;DR - This vulnerability is being actively exploited in the wild and fully patched systems running 5.8.0.21 are still exploitable. We strongly recommend you move any internet-exposed Cleo systems behind a firewall until a new patch is released.
Checkpoint
30th December – Threat Intelligence Report
blogs_checkpoint·2024-12-30·CVSS 9.8
CVE-2024-50623 [CRITICAL] 30th December – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 30th December – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 30th December, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
The Clop ransomware gang exploited a zero-day vulnerability (CVE-2024-50623) in Cleo’s Secure File Transfer products and is extorting 66 companies following alleged data theft. The attackers have given the victims 48 hours to initiate ransom negotiations before publicly disclosing their identities. This incident mirrors
Bleepingcomputer
Clop ransomware is now extorting 66 Cleo data-theft victims
blogs_bleepingcomputer·2024-12-24·CVSS 9.8
[CRITICAL] Clop ransomware is now extorting 66 Cleo data-theft victims
## Clop ransomware is now extorting 66 Cleo data-theft victims
## Bill Toulas
The Clop ransomware gang started to extort victims of its Cleo data theft attacks and announced on its dark web portal that 66 companies have 48 hours to respond to the demands.
The cybercriminals announced that they are contacting those companies directly to provide links to a secure chat channel for conducting ransom payment negotiations. They also provided email addresses where victims can reach out themselves.
In the notification on their leak site, Clop lists 66 partial names of companies that did not engage the hackers for negotiations. If these companies continue to ignore, Clop threatens to disclose their full name in 48 hours.
The hackers note that the list represents only victims that have been con
Bleepingcomputer
Clop ransomware claims responsibility for Cleo data theft attacks
blogs_bleepingcomputer·2024-12-15·CVSS 9.8
CVE-2024-50623 [CRITICAL] Clop ransomware claims responsibility for Cleo data theft attacks
## Clop ransomware claims responsibility for Cleo data theft attacks
## Lawrence Abrams
12/16/24 update: Article updated to include new information about Cleo CVE-2024-50623 and CVE-2024-55956 flaws.
The Clop ransomware gang has confirmed to BleepingComputer that they are behind the recent Cleo data-theft attacks, utilizing zero-day exploits tracked as CVE-2024-50623 and CVE-2024-55956 to breach corporate networks and steal data.
Cleo is the developer of the managed file transfer platforms Cleo Harmony, VLTrader, and LexiCom, which companies use to securely exchange files between their business partners and customers.
## The Cleo zero-days
In October, Cleo disclosed a vulnerability tracked as CVE-2024-50623 that allowed unrestricted file uploads and downloads, leading to remote code
Bleepingcomputer
CISA confirms critical Cleo bug exploitation in ransomware attacks
blogs_bleepingcomputer·2024-12-13·CVSS 9.8
CVE-2024-50623 [CRITICAL] CISA confirms critical Cleo bug exploitation in ransomware attacks
## CISA confirms critical Cleo bug exploitation in ransomware attacks
## Sergiu Gatlan
CISA confirmed today that a critical security vulnerability in Cleo Harmony, VLTrader, and LexiCom file transfer software is being exploited in ransomware attacks.
This flaw (tracked as CVE-2024-50623 and impacting all versions before version 5.8.0.21) enables unauthenticated attackers to gain remote code execution on vulnerable servers exposed online.
Cleo released security updates to fix it in October and warned all customers to "immediately upgrade instances" to additional potential attack vectors.
The company has not disclosed that CVE-2024-50623 was targeted in the wild; however, on Friday, CISA added the security bug to its catalog of known exploited vulnerabilities, tagging it as being used
Bleepingcomputer
Cleo patches critical zero-day exploited in data theft attacks
blogs_bleepingcomputer·2024-12-12·CVSS 9.8
CVE-2024-50623 [CRITICAL] Cleo patches critical zero-day exploited in data theft attacks
## Cleo patches critical zero-day exploited in data theft attacks
## Sergiu Gatlan
Cleo has released security updates for a zero-day flaw in its LexiCom, VLTransfer, and Harmony software, currently exploited in data theft attacks.
In October, the company patched a pre-auth remote code execution vulnerability ( CVE-2024-50623 ) in its managed file transfer software and recommended that "all customers upgrade immediately."
Huntress security researchers first spotted evidence of attacks targeting fully patched Cleo software on December 3. This was followed by a notable increase in activity on Sunday, December 8, after attackers quickly discovered a CVE-2024-50623 bypass (with no CVE-ID) that lets them import and execute arbitrary bash or PowerShell commands by exploiting the default Autor
Bleepingcomputer
New Cleo zero-day RCE flaw exploited in data theft attacks
blogs_bleepingcomputer·2024-12-10·CVSS 9.8
[CRITICAL] New Cleo zero-day RCE flaw exploited in data theft attacks
## New Cleo zero-day RCE flaw exploited in data theft attacks
## Bill Toulas
Update added to bottom of the article.
Hackers are actively exploiting a zero-day vulnerability in Cleo managed file transfer software to breach corporate networks and conduct data theft attacks.
The flaw is found in the company's secure file transfer products, Cleo LexiCom, VLTrader, and Harmony, and is a flaw that allows unrestricted file upload and downloads that leads to remote code execution.
The Cleo MFT vulnerability affects versions 5.8.0.21 and earlier and is a bypass for a previously fixed flaw, CVE-2024-50623, which Cleo addressed in October 2024 . However, the fix was incomplete, allowing threat actors to bypass it and continue to exploit it in attacks.
Cleo says its software is used by 4,000 com
Recorded Future
Cleo MFT Vulnerability CVE-2024-50623: Critical RCE Risk
blogs_recorded_future·CVSS 9.8
CVE-2024-50623 [CRITICAL] Cleo MFT Vulnerability CVE-2024-50623: Critical RCE Risk
# Cleo MFT: CVE-2024-50623
## What is CVE-2024-50623
CVE-2024-50623 is a critical unrestricted file upload and download vulnerability that could lead to remote code execution (RCE).
## What are the affected products?
The vulnerability affects Cleo's managed file transfer (MFT) products Harmony, VLTrader, and LexiCom before version 5.8.0.21.
- Cleo Harmony 5.8
- Cleo LexiCom 5.5.0.0
- Cleo LexiCom 5.6
- Cleo LexiCom 5.6.1
- Cleo LexiCom 5.6.2
- Cleo LexiCom 5.7
- Cleo LexiCom 5.8
- Cleo VLTrader 5.8
### Description
On December 13, 2024, Recorded Future’s Insikt Group published a TTP Instance detailing cybersecurity firm watchTowr Labs’ analysis of an alleged proof-of-concept (PoC) exploit for CVE-2024-50623.
CVE-2024-50623 stems from insufficient input validation, improper path sani
Recorded Future
Cleo MFT Vulnerability CVE-2024-50623: Critical RCE Risk
blogs_recorded_future·CVSS 9.8
CVE-2024-50623 [CRITICAL] Cleo MFT Vulnerability CVE-2024-50623: Critical RCE Risk
## Cleo MFT: CVE-2024-50623
## What is CVE-2024-50623
CVE-2024-50623 is a critical unrestricted file upload and download vulnerability that could lead to remote code execution (RCE).
## What are the affected products?
The vulnerability affects Cleo's managed file transfer (MFT) products Harmony, VLTrader, and LexiCom before version 5.8.0.21.
Cleo Harmony 5.8
Cleo LexiCom 5.5.0.0
Cleo LexiCom 5.6
Cleo LexiCom 5.6.1
Cleo LexiCom 5.6.2
Cleo LexiCom 5.7
Cleo LexiCom 5.8
Cleo VLTrader 5.8
## Description
On December 13, 2024, Recorded Future’s Insikt Group published a TTP Instance detailing cybersecurity firm watchTowr Labs’ analysis of an alleged proof-of-concept (PoC) exploit for CVE-2024-50623.
CVE-2024-50623 stems from insufficient input validation, improper path sanitization,
Zscaler
CISO Monthly Roundup, January 2025: DeepSeek risks, new Xloader versions, and more | CXO Revolutionaries
blogs_zscaler
CISO Monthly Roundup, January 2025: DeepSeek risks, new Xloader versions, and more | CXO Revolutionaries
TOP STORY
## CISO Monthly Roundup, January 2025: DeepSeek risks, new Xloader versions, and more
Deepen Desai
Contributor
Zscaler
## Feb 10, 2025
Insights from threats explored by the Zscaler ThreatLabz team in January.
This past month, the Zscaler ThreatLabz security research team detailed the risks in DeepSeek, analyzed Xloader, and revealed the latest obfuscation, specialization, and evasion techniques by LockBit, Clop, and Raspberry Robin.
## DeepSeek: A CISO's Insight into Potential Security Weaknesses
The recent launch of DeepSeek, a large language model (LLM) developed by a Chinese AI company, sent shockwaves across the tech industry. The open source model is accessible globally and comes with its own set of risks. When it comes to LLMs, there are three groups - builders (sm
Huntress
Cleo Software Actively Being Exploited in the Wild CVE-2024-55956 | Huntress
blogs_huntress·CVSS 9.8
CVE-2024-55956 [CRITICAL] Cleo Software Actively Being Exploited in the Wild CVE-2024-55956 | Huntress
## CVE-2024-55956 Summary
On December 3, Huntress identified an emerging threat involving Cleo’s LexiCom, VLTransfer, and Harmony software, commonly used to manage file transfers. We’ve directly observed evidence of threat actors exploiting this software en masse and performing post-exploitation activity. Although Cleo published an update and advisory for CVE-2024-50623—which allows unauthenticated remote code execution—Huntress security researchers have recreated the proof of concept and learned the patch does not mitigate the software flaw.
TL;DR - This vulnerability is being actively exploited in the wild and fully patched systems running 5.8.0.21 are still exploitable. We strongly recommend you move any internet-exposed Cleo systems behind a firewall until a new patch is released.
B
arXiv
Automated Vulnerability Validation and Verification: A Large Language Model Approach
arxiv_fulltext·2025-11-13
Automated Vulnerability Validation and Verification: A Large Language Model Approach
Automated Vulnerability Validation and Verification: A Large Language Model Approach
Alireza Lotfi
Department of Computer Science
Purdue University
West Lafayette, IN, USA
[email protected]
Charalampos Katsis
Department of Computer Science
Purdue University
West Lafayette, IN, USA
[email protected]
Elisa Bertino
Department of Computer Science
Purdue University
West Lafayette, IN, USA
[email protected]
## Abstract
Software vulnerabilities remain a critical security challenge, providing entry points for attackers to compromise enterprise networks. Despite advances in security practices, the lack of high-quality datasets capturing the behavior of diverse exploits hinders effective vulnerability assessment and mitigation.
This paper introduces an end-to-end multi-step pipeline
2024-10-28
Published
2024-12-13
Added to CISA KEV
Exploited in the wild