CVE-2024-50623: 
NixOS vulnerability analysis and mitigation

CVE-2024-50623 is a critical unrestricted file upload and download vulnerability affecting Cleo's managed file transfer (MFT) products: Harmony, VLTrader, and LexiCom versions before 5.8.0.21. The vulnerability was discovered and disclosed on December 9, 2024, and allows unauthenticated remote code execution (Censys, Recorded Future).

The vulnerability stems from insufficient input validation, improper path sanitization, and weak license verification logic within the /Synchronization endpoint of the affected Cleo software. This endpoint facilitates file synchronization, transfer, and command-based file operations between Cleo cluster nodes. The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its severe nature and ease of exploitation (NVD, Recorded Future).

The vulnerability enables unauthenticated attackers to achieve remote code execution on affected systems. At the time of discovery, there were 1,618 exposed Cleo instances on Censys and 1,234 on Shodan, with approximately 50% of exposed instances geolocated in the United States. The widespread exposure makes this vulnerability particularly concerning for organizations using affected Cleo products (Recorded Future, Censys).

Cleo has released version 5.8.0.21 to address the vulnerability and strongly advises all customers to immediately upgrade their instances of Harmony, VLTrader, and LexiCom to this version. However, according to security researchers, version 5.8.0.21 may not fully address the vulnerability, and Cleo is preparing a new patch (Cleo Advisory, Recorded Future).