Note: This Emerging Threat is also published in the new Fortra Security & Trust Center - the new location for all Emerging Threats beginning in January 2025. Refer to Emerging Threats Moving to Fortra.com for more information on following Emerging Threats in their new location.
Fortra is actively researching a new vulnerability in three products from Cleo – Cleo Harmony, Cleo VLTrader, and Cleo LexiCom. This vulnerability, CVE-2024-50623, can allow unrestricted file upload and download, which can lead to remote code execution. Active exploitation of the vulnerability has been reported.
Cleo has released patches to address this vulnerability, and affected customers are strongly advised to to update their instances as soon as possible.
Who is affected?
This vulnerability affects the following products:
- Cleo Harmony prior to version 5.8.0.21
- Cleo VLTrader prior to version 5.8.0.21
- Cleo LexiCom prior to version 5.8.0.21
What can I do?
Cleo has released patches for the affected products in version 5.8.0.21 of each product. Affected customers should update their instances of Cleo Harmony, Cleo VLTrader, and Cleo LexiCom as soon as possible.
For more information from the vendor and a link to additional mitigation steps, refer to Cleo’s advisory.
How is Fortra helping me?
Fortra is actively researching this threat to build detection capabilities.
Alert Logic Network IDS: Alert Logic has deployed an IDS signature to detect exploit attempts for this vulnerability and aid in further detection research.
Alert Logic Vulnerability Scanning: Alert Logic released unauthenticated scan detection on December 17, 2024, to identify vulnerable instances.
Updates
Fortra has kicked off the Emerging Threats process for this vulnerability. This article will be updated with new information about this vulnerability and related security coverage as it becomes available.
12/12/2024: Alert Logic deployed an IDS signature to detect exploit attempts.
12/17/2024: Alert Logic released unauthenticated scan detection to identify vulnerable instances.
Comments
0 comments
Please sign in to leave a comment.