cbcvebase.
CVE-2024-50623
published 2024-10-28

CVE-2024-50623: In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to…

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2025-01-03
Exploited in the wild
EPSS
98.53%
99.9th percentile
In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to remote code execution.

Affected

3 ranges
VendorProductVersion rangeFixed in
cleoharmony< 5.8.0.215.8.0.21
cleolexicom< 5.8.0.215.8.0.21
cleovltrader< 5.8.0.215.8.0.21

Detection & IOCsextracted from sources · hover to see the quote

ip176.123.5.126
ip5.149.249.226
ip185.181.230.103
ip209.127.12.38
ip181.214.147.164
ip192.119.99.42
filename60282967-dc91-40ef-a34c-38e992509c2c.xml
filenamehealthchecktemplate.txt
filenamehealthcheck.txt
pathC:\LexiCom
pathC:\VLTrader
pathC:\Harmony
pathautorun/healthchecktemplate.txt
processnltest.exe
sigma
Possible Cleo MFT Exploitation 2024
sigma
Javaw Spawning Suspicious PowerShell
  • Look for javaw.exe spawning PowerShell processes — this is the key parent-child relationship indicating Cleo exploitation via the Autorun feature.
  • Monitor the Autorun directory (e.g., C:\LexiCom\autorun\, C:\VLTrader\autorun\, C:\Harmony\autorun\) for unexpected files, especially .txt files like healthcheck.txt or healthchecktemplate.txt.
  • Check LexiCom.xml and LexiCom.dbg log files for references to malicious autorun files being processed, including paths like autorun/healthchecktemplate.txt.
  • Attackers deploy encoded JAR files for post-exploitation that reach out to external IPs; monitor for outbound connections from javaw.exe to the listed callback IPs.
  • Attackers delete JAR files post-execution to evade detection; look for file creation/deletion events of .jar files in Cleo installation directories.
  • The Malichus backdoor was delivered as a malicious Freemarker template containing server-side JavaScript; hunt for unexpected .ftl or template files in Cleo installation directories.
  • Attackers abuse the default Autorun folder to import and execute arbitrary bash or PowerShell commands; alert on any process execution originating from the Autorun directory path.
  • ·Fully patched systems running version 5.8.0.21 remain exploitable; the October patch for CVE-2024-50623 does NOT fully mitigate the vulnerability. Upgrade to 5.8.0.24 is required.
  • ·Disabling the Autorun feature (clearing the Autorun Directory field in System Options) reduces attack surface but does NOT block all incoming attacks.
  • ·Malichus malware was only observed deployed on Windows devices in the wild, despite also having Linux support — detection efforts should prioritize Windows hosts.
  • ·After applying the 5.8.0.24 patch, Cleo software logs errors and removes files related to the exploit found at startup — review startup logs post-patching to identify prior compromise.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.