Cleo Cleo

  1. Vendors
  2. Cleo

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Cleo product.

RSS Feeds for Cleo security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Cleo products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Cleo Sorted by Most Security Vulnerabilities since 2018

Cleo Lexicom4 vulnerabilities

Cleo Harmony2 vulnerabilities

Cleo Vltrader2 vulnerabilities

Cleo Harmomy1 vulnerability

Known Exploited Cleo Vulnerabilities

The following Cleo vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
Cleo Multiple Products Unauthenticated File Upload Vulnerability Cleo Harmony, VLTrader, and LexiCom, which are managed file transfer products, contain an unrestricted file upload vulnerability that could allow an unauthenticated user to import and execute arbitrary bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory.
CVE-2024-55956 Exploit Probability: 91.0% 		December 17, 2024
Cleo Multiple Products Unrestricted File Upload Vulnerability Cleo Harmony, VLTrader, and LexiCom, which are managed file transfer products, contain an unrestricted file upload and download vulnerability that can lead to remote code execution with elevated privileges.
CVE-2024-50623 Exploit Probability: 94.0% 		December 13, 2024

Of the known exploited vulnerabilities above, 2 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.

By the Year

In 2026 there have been 0 vulnerabilities in Cleo. Cleo did not have any published security vulnerabilities last year.

Year Vulnerabilities Average Score
2026 0 0.00
2025 0 0.00
2024 2 9.80
2023 0 0.00
2022 0 0.00
2021 2 7.55

It may take a day or so for new Cleo vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Cleo Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2024-55956 Dec 13, 2024
Cleo Harmony, VLTrader, and LexiCom Remote Code Execution via Autorun Directory In Cleo Harmony before 5.8.0.24, VLTrader before 5.8.0.24, and LexiCom before 5.8.0.24, an unauthenticated user can import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory.
Lexicom
Vltrader
Harmony
CVE-2024-50623 Oct 28, 2024
Unrestricted File UL/DR in Cleo Harmony, VLTrader, LexiCom <5.8.0.21 (RCE) In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to remote code execution.
Vltrader
Harmony
Lexicom
And others...
CVE-2021-33577 Jun 18, 2021
An issue was discovered in Cleo LexiCom 5.5.0.0 An issue was discovered in Cleo LexiCom 5.5.0.0. The requirement for the sender of an AS2 message to identify themselves (via encryption and signing of the message) can be bypassed by changing the Content-Type of the message to text/plain.
Lexicom
CVE-2021-33576 Jun 18, 2021
An issue was discovered in Cleo LexiCom 5.5.0.0 An issue was discovered in Cleo LexiCom 5.5.0.0. Within the AS2 message, the sender can specify a filename. This filename can include path-traversal characters, allowing the file to be written to an arbitrary location on disk.
Lexicom
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.