PatchDay Alert

Editorial coverage · CVE-2024-50623

Cleo patched the file. They did not patch the Autorun directory the file dropped into.

Two stacked failures on the `/Synchronization` endpoint of Cleo Harmony, VLTrader, and LexiCom. A trivial bitshift check against the cluster-sync serial number accepted any caller; past the gate, the `Retrieve` and `ADD` commands gave an unauthenticated request arbitrary file read and arbitrary file write against caller-specified paths. CVSS 9.8. Cleo shipped 5.8.0.21 on October 27, 2024 with a bolted-on `validatePath()` function intended to block traversal writes. By December 3, Huntress had a working bypass against fully patched 5.8.0.21 hosts; Cl0p was running it in production by December 8. CISA assigned CVE-2024-55956 to the bypass on December 13 and added both CVEs to KEV. The real architectural defect is not `validatePath()`. It is `<install>\autorun\` — a documented administrative feature that watches a directory and executes whatever files land there. Any file-write primitive anywhere in the product is automatically promoted to code execution. 5.8.0.21 patched the file. 5.8.0.24 finally patched the directory.

Editorial CVE · 4 min read By The Field Notes Desk · Field Notes

What we say

Most patches close the row when the function the bug lived in stops accepting the input the bug exploited. The change record names the build, the SI-2 narrative names the change record, the QSA reads the narrative, the audit form rolls up. For a class of bugs the model works. For Cleo it did not work for six weeks, and the part of the product that broke the model is not the function the patch landed in. It is the Autorun directory the function’s output went to.

<install>\autorun\ is a documented administrative feature on Cleo Harmony, VLTrader, and LexiCom. The product ships with the directory created on install. The product ships with the watcher running. The watcher polls the directory and processes whatever lands there — for XMLs, run the embedded commands; for ZIPs, unpack and execute the inner payloads. The feature is intended for operator-driven automation: drop a file, the product picks it up. The feature is ambient. The CVE-2024-50623 file-write primitive landed bytes in the directory and the watcher executed them as the service account. PowerShell, base64-encoded payload, code execution. The bug was the write. The RCE was the watcher.

The October patch added a validatePath() function to the Retrieve and ADD handlers. The intent was to block path- traversal writes that landed in the Autorun directory from non-Autorun handlers. The implementation was bypassable; Huntress published a working bypass against 5.8.0.21 on December 9 after notifying Cleo on December 3. Whether CVE-2024-55956 is technically a bypass of validatePath() or a separate CWE-77 issue in the Autorun feature itself is a question researchers disagreed on; Huntress and Darktrace call it a bypass, Rapid7 calls it a distinct bug. The operational answer is the same either way. 5.8.0.21 was bypassable. The Autorun directory was the reason the bypass mattered.

The 5.8.0.24 build that closed both bug paths shipped December 11 or 12 and changed the Autorun behavior. The interim mitigation Cleo recommended between the second incident and the 5.8.0.24 build was to clear the Autorun Directory field in Configure → Options → Other — an emergency disable of a documented product feature, against a default-enabled directory, in the middle of an active Cl0p campaign. That is the architectural critique in operator terms. The October patch was a check on a function. The December patch was a change to the product. The two patches were necessary against the same CVE row. The audit form had one cell.

The wider pattern is the one the Cleo blog post named. Five MFT vendors in five years have been mass-exploited by Cl0p on substantially the same playbook. Accellion FTA in 2020, Serv-U in 2021, GoAnywhere and MOVEit in 2023, Cleo in 2024. The bug classes vary — SQL injection, deserialization, command injection, file write — and the patches in each case landed on the immediate function. The admin UI on the same listener as the data plane, the legacy codebase with no full-time security engineering, the reactive disclosure, the fix that closes one path against an architecture that ships the next path are constant across the five vendors. Calling Cleo a Cleo problem misreads the record. The patch-the-function-not-the-product pattern is the structural shape of the MFT tier and the audit framework writes against the function-level change.

The narrow operational instruction is short. Hosts that ran 5.8.0.21 between approximately December 3, 2024 and the day the operator applied 5.8.0.24 should be treated as compromised; the IR work includes log preservation to write-protected storage before reboot, the Huntress IoC list against <install>\autorun\ and <install>\hosts\, and a blast-radius map across every trading partner whose data flowed through the appliance. The wider instruction is one the editorial corpus keeps arriving at and the audit form cannot directly encode. The patch the vendor advisory names is the function. The architecture the function lives in is the part the next campaign will read from. The QSA reading the audit narrative sees the change record close the cell. The operator reading the change record sees a build number. The adversary reading the product sees a watcher polling a directory. The three reads do not disagree about what the patch did. They disagree about what the patch was supposed to do, and the form has no field for the disagreement.

What NVD says

CWE-22 — improper limitation of a pathname to a restricted directory. NVD CVSS 3.1 base 9.8, vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The score is honest against the bug as a primitive: an unauthenticated `/Synchronization` request with a forged serial number reaches `Retrieve` or `ADD` and writes attacker-controlled bytes to an attacker-controlled path. What the row does not encode is that the write-to-anywhere primitive becomes code execution only because the Cleo product ships an Autorun directory that the watcher service polls and executes against by design. The CWE-22 framing names the path-traversal half. The RCE half is downstream of an architectural feature that the CWE schema has no field for. A future bug in a different Cleo handler that produces a different write-primitive would land in the same Autorun directory and reach the same code-execution outcome through the same product feature. The 9.8 score reads against the bug. The architecture reads against the product.

NVD entry →

What the vendor says

Cleo's October 27, 2024 release notes for Harmony, VLTrader, and LexiCom 5.8.0.21 named the bug, named the fix as the addition of a `validatePath()` function on the affected handlers, and recommended the upgrade. The advisory did not name the Autorun directory as architecturally exposed; it did not recommend clearing the Autorun Directory field in Configure → Options → Other. Huntress published the working bypass against 5.8.0.21 on December 9 after notifying Cleo on December 3. Cleo's interim mitigation between the second incident and the 5.8.0.24 build was, literally, to clear the Autorun Directory field — an emergency configuration change against a feature the product ships enabled by default. The 5.8.0.24 build shipping December 11-12 was the fix that closed both bug paths and changed the Autorun behavior. The advisory ecosystem for 50623 reads as 'we patched the function.' The 5.8.0.24 release notes read closer to 'we patched the product.' Two months and one Cl0p campaign separate the two readings.

Compliance impact

PCI DSS
Requirement 6.3.3 reads the October 27 advisory against the one-month patch clock. The change record naming the 5.8.0.21 upgrade closes the row. The QSA's audit narrative against the cell reads 'patched within window' for any operator who applied 5.8.0.21 promptly. The cell does not have a field for 'the patched build was bypassable inside six weeks because the patch addressed the immediate function and not the architectural feature that promoted the bug to RCE.' Requirement 1's CDE-scoping reads the MFT host as in-scope wherever it brokers payment-data-adjacent file flows; CL0P's leak-site count put Cleo customers across regulated sectors (healthcare, retail, financial services) whose trading-partner directories the Malichus stage-three RAT harvested out of `conf/Top.xml` and `hosts/<hostname>.xml`. Requirement 12.10 incident-response writes against discovery date; for any host that ran 5.8.0.21 between roughly December 3 and the day the operator applied 5.8.0.24, the breach window predates the discovery and the IR clock is measured against the wrong start time on the audit form.
HIPAA
Security Rule §164.308 administrative-safeguards risk analysis reads the Autorun directory as a continuously evaluable risk — a documented administrative feature that the operator did not opt into and that the audit posture cannot model as a control with a yes/no state. §164.402 breach-notification reads against discovery date; the standard 60-day clock from discovery understates the actual exposure window on any host that ran 5.8.0.21 between December 3 and 5.8.0.24. The HHS Office for Civil Rights guidance on breach risk-assessment factors writes against four bullets, three of which (probability that PHI was acquired, extent to which the risk has been mitigated, identity of the unauthorized recipient) Cleo customers cannot answer with confidence because Cl0p's exfiltration framework leaves minimal artifacts the EDR can correlate against. The audit narrative reads 'patched per vendor advisory' the same on a host that ran 5.8.0.21 for two days and a host that ran it for six weeks; the form has one row for the patch and no row for the exposure window the patch did not retract.

Sources

Every source on this list has been read by the editorial team. We do not cite something we have not opened.

Deeper read

Coverage in PatchDay Alert

View all posts tagged #cve-2024-50623 →

One email, every weekday morning.

You're in. Check your inbox.

Get the digest

Free. Weekday mornings. Plain English CVE triage.

Check your inbox to confirm.