CVE-2024-50623

CRITICAL KEV RANSOMWARE NUCLEI

Cleo Harmony, VLTrader, and LexiCom < 5.8.0.21 - Unrestricted File Upload and Remote Code Execution

Title source: llm

Exploitation Summary

CVE-2024-50623 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added December 13, 2024, with confirmed use in ransomware campaigns. EIP tracks 5 public exploits from researchers including iSee857, watchtowrlabs, verylazytech. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains functional exploit code for CVE-2024-50623, demonstrating command execution via a session-based shell endpoint. The script includes multi-threaded scanning capabilities and validates vulnerability by checking for 'uid=' and 'gid=' in the response.

Description

In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to remote code execution.

Exploits (5)

github WORKING POC 40 stars

by iSee857 · pythonpoc

https://github.com/iSee857/CVE-PoC/tree/main/CVE-2024-50623.py

View Code ZIP pw:eip

The repository contains functional exploit code for CVE-2024-50623, demonstrating command execution via a session-based shell endpoint. The script includes multi-threaded scanning capabilities and validates vulnerability by checking for 'uid=' and 'gid=' in the response.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: OpenCode (version not specified)

No auth needed

Prerequisites: Network access to the target · OpenCode service running with vulnerable endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC 25 stars

by watchtowrlabs · infoleak

https://github.com/watchtowrlabs/CVE-2024-50623

View Code ZIP pw:eip

This PoC exploits an unrestricted file upload and download vulnerability in Cleo software (CVE-2024-50623). It allows arbitrary file read and write operations via crafted HTTP headers to the Synchronization endpoint.

Classification

Working Poc 100%

Attack Type

Info Leak | Other

Complexity

Trivial

Reliability

Reliable

Target: Cleo (version not specified)

No auth needed

Prerequisites: Network access to the target's Synchronization endpoint

MITRE ATT&CK

T1005 - Data from Local System T1105 - Ingress Tool Transfer

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 8 stars

by verylazytech · remote

https://github.com/verylazytech/CVE-2024-50623

View Code ZIP pw:eip

This repository contains a functional proof-of-concept exploit for CVE-2024-50623, targeting Cleo's file transfer software. The exploit leverages unrestricted file upload and download capabilities to achieve remote code execution by manipulating the Synchronization endpoint.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Cleo Harmony, Cleo VLTrader, Cleo LexiCom (versions prior to 5.8.0.21)

No auth needed

Prerequisites: Network access to the target system · Cleo software with vulnerable version

MITRE ATT&CK

T1105 - Ingress Tool Transfer T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 5 stars

by iSee857 · remote

https://github.com/iSee857/Cleo-CVE-2024-50623-PoC

View Code ZIP pw:eip

This PoC checks for CVE-2024-50623 in Cleo LexiCom by exploiting a path traversal vulnerability to read arbitrary files and upload files. It verifies the version and attempts to read system.ini and upload a test file.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Cleo LexiCom versions below 5.8.0.24

No auth needed

Prerequisites: Network access to the target server · Cleo LexiCom Synchronization endpoint exposed

MITRE ATT&CK

T1005 - Data from Local System T1105 - Ingress Tool Transfer

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by congdong007 · infoleak

https://github.com/congdong007/CVE-2024-50623-poc

View Code ZIP pw:eip

This PoC exploits a path traversal vulnerability in the target software by manipulating the 'path' parameter in the 'Retrieve' header to read arbitrary files (e.g., '/etc/passwd'). The script sends a crafted GET request to the '/Synchronization' endpoint with malicious headers.

Classification

Working Poc 80%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Unknown (likely a web application with a Synchronization endpoint)

No auth needed

Prerequisites: Network access to the target endpoint · Target endpoint must be vulnerable to path traversal

MITRE ATT&CK

T1005 - Data from Local System T1083 - File and Directory Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Cleo Harmony < 5.8.0.21 - Arbitary File Read

HIGHVERIFIEDby DhiyaneshDK

Shodan: Server: Cleo

References (2)

Core 2

Core References

Vendor Advisory

https://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-50623

Scores

CVSS v3 9.8

EPSS 0.9401

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2024-12-13

VulnCheck KEV 2024-12-09

InTheWild.io 2024-12-13

ENISA EUVD EUVD-2024-45217

Ransomware Use Confirmed

CWE

CWE-434

Status published

Products (3)

cleo/harmony < 5.8.0.21

cleo/lexicom < 5.8.0.21

cleo/vltrader < 5.8.0.21

Published Oct 28, 2024

KEV Added Dec 13, 2024

Tracked Since Feb 18, 2026