DIVD-2024-00052 - Remote code execution in Cleo Harmony, VLCTrader and LexiCom
| Our reference | DIVD-2024-00052 |
| Case lead | Alwin Warringa |
| Researcher(s) | |
| CVE(s) | |
| Products |
|
| Versions |
|
| Recommendation | Upgrade to version 5.8.0.24 or later |
| Patch status | Patch available |
| Workaround | none |
| Status | Closed |
| Last modified | 05 Feb 2025 09:07 CET |
Summary
Cleo Harmony, VLCTrader and LexiCom versions below 5.8.0.24 are vulnerable for an remote code execution. A successful exploit of this vulnerability could allow an attacker to gain unauthorized access, with potential impacts to the confidentiality, integrity, and availability of the system. This vulnerability is exploitable without authentication.
Recommendations
To remediate CVE-2024-50623 and a pending CVE, upgrade to version 5.8.0.24 or later. You can find a link to the Cleo bulletin at the bottom of this post.
What we are doing
DIVD is currently working to identify parties that are running a vulnerable version of Cleo Harmony, VLCTrader or LexiCom and to notify these parties.
Timeline
| Date | Description |
|---|---|
| 10 Dec 2024 | DIVD starts researching the vulnerability. |
| 10 Dec 2024 | DIVD finds fingerprint, preparing to scan. |
| 10 Dec 2024 | Case opened and starting first scan. |
| 27 Dec 2024 | DIVD starts notifying network owners with a vulnerable devices in their network. |
| 05 Feb 2025 | DIVD sent out a second round of notifications. |
| 05 Feb 2025 | Case closed. |
gantt
title DIVD-2024-00052 - Remote code execution in Cleo Harmony, VLCTrader and LexiCom
dateFormat YYYY-MM-DD
axisFormat %e %b %Y
section Case
DIVD-2024-00052 - Remote code execution in Cleo Harmony, VLCTrader and LexiCom (57 days) :2024-12-10, 2025-02-05
section Events
DIVD starts researching the vulnerability. : milestone, 2024-12-10, 0d
DIVD finds fingerprint, preparing to scan. : milestone, 2024-12-10, 0d
Case opened and starting first scan. : milestone, 2024-12-10, 0d
DIVD starts notifying network owners with a vulnerable devices in their network. : milestone, 2024-12-27, 0d
DIVD sent out a second round of notifications. : milestone, 2025-02-05, 0d
Case closed. : milestone, 2025-02-05, 0d