What is Cleo Harmony, VLTrader, and LexiCom?
Cleo Harmony, VLTrader, and LexiCom are managed file transfer (MFT) platforms. See CVE-2024-55956 for the full product context and the December 2024 Clop ransomware campaign.
Overview
CVE-2024-50623 is the first of two critical Cleo file transfer vulnerabilities exploited by Clop ransomware in the December 2024 campaign — the earlier, lower-profile vulnerability that preceded the higher-impact CVE-2024-55956. CVE-2024-50623 is an unrestricted file upload vulnerability (CWE-434) in Cleo Harmony, VLTrader, and LexiCom that allows unauthenticated remote code execution. Cleo released a patch in October 2024, but attackers discovered a bypass (CVE-2024-55956) that enabled continued exploitation through December 2024 despite the patch.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Cleo Harmony | ≤ 5.8.0.20 | 5.8.0.21+ (but later bypassed by CVE-2024-55956; use 5.8.0.24) |
| Cleo VLTrader | ≤ 5.8.0.20 | Same |
| Cleo LexiCom | ≤ 5.8.0.20 | Same |
Important: The October 2024 patch (5.8.0.21) for CVE-2024-50623 was bypassed by CVE-2024-55956. Organizations must upgrade to 5.8.0.24 to fully remediate both CVEs.
Technical Details
The unrestricted file upload (CWE-434) allows unauthenticated attackers to upload files to Cleo's file transfer directories without authentication restrictions. By uploading a malicious script and exploiting Cleo's Autorun feature (which automatically executes scripts in the Autorun directory), attackers achieve code execution with the Cleo service account's privileges.
The bypass chain: Cleo's October 2024 patch for CVE-2024-50623 introduced restrictions on direct file upload paths. However, attackers discovered CVE-2024-55956 — a different mechanism to achieve the same Autorun exploitation — as a bypass. Organizations that applied the October patch believed they were protected but remained vulnerable until the December 2024 patch (5.8.0.24) addressed the bypass.
Exploitation Context
Clop ransomware actors used CVE-2024-50623 in initial exploitation attempts before the December campaign. When Cleo's October patch was released, Clop pivoted to CVE-2024-55956 (the bypass). The December 2024 mass exploitation campaign that compromised dozens of organizations used CVE-2024-55956 as the primary vector, but CISA listed CVE-2024-50623 simultaneously because both represent the same underlying exploitation capability in the Autorun processing path.
Remediation
- Upgrade to Cleo 5.8.0.24 — the only version that addresses both CVE-2024-50623 and CVE-2024-55956 (the bypass). Versions 5.8.0.21–5.8.0.23 are partially patched but still vulnerable to CVE-2024-55956.
- Disable Autorun as an immediate mitigation if unable to patch immediately.
- Apply all CVE-2024-55956 remediation steps — both vulnerabilities share the same exploitation impact. See CVE-2024-55956 for detailed remediation.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2024-50623 |
| Vendor / Product | Cleo — Multiple Products |
| NVD Published | 2024-10-28 |
| NVD Last Modified | 2025-11-05 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-434 find similar ↗ |
| CISA KEV Added | 2024-12-13 |
| CISA KEV Deadline | 2025-01-03 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2024-10-28 | CVE published; Cleo releases initial patch |
| 2024-12-11 | Mass exploitation confirmed (attackers bypass CVE-2024-50623 patch via CVE-2024-55956) |
| 2024-12-13 | CISA adds CVE-2024-50623 to KEV (alongside CVE-2024-55956) |
| 2025-01-03 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Cleo Security Update — CVE-2024-50623 | Vendor Advisory |
| NVD — CVE-2024-50623 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |