New MOVEit Transfer critical bug is actively exploited

Pierluigi Paganini June 26, 2024

Experts warn of active exploitation of a critical authentication bypass vulnerability in MOVEit Transfer file transfer software.

Progress Software addressed two critical authentication bypass vulnerabilities, tracked as CVE-2024-5805 and CVE-2024-5806, affecting its MOVEit Transfer file transfer software.

The vulnerability CVE-2024-5805 (CVSS score 9.1) is an improper authentication vulnerability in Progress MOVEit Gateway (SFTP module) that allows authentication bypass. The vulnerability was discovered by Max Hase, it impacts MOVEit Gateway: 2024.0.0.

The vulnerability CVE-2024-5806 (CVSS score 9.1) is also an improper authentication vulnerability that resides in the Progress MOVEit Transfer (SFTP module) that can lead to authentication bypass.

This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, from 2024.0.0 before 2024.0.2.

The flaw CVE-2024-5806 was addressed with the release of versions 2023.0.11, 2023.1.6, and 2024.0.2. CVE-2024-5805 has been addressed with the release of version 2024.0.1. 

Progress highlighted that a recently discovered vulnerability in a third-party component raises the risk level for this CVE.

“We have addressed the MOVEit Transfer vulnerability and the Progress MOVEit team strongly recommends performing an upgrade to the latest version listed in the table below.” reads the advisory published Progress Software. “A newly identified vulnerability in a third-party component used in MOVEit Transfer elevates the risk of the original issue mentioned above if left unpatched. While the patch distributed by Progress on June 11th successfully remediates the issue identified in CVE-2024-5806, this newly disclosed third-party vulnerability introduces new risk. Please work with your internal teams to take the following steps to mitigate the third-party vulnerability.”

The company recommends customers mitigate third-party vulnerability by verifying they have blocked public inbound RDP access to MOVEit Transfer server(s), and limiting outbound access to only known trusted endpoints from MOVEit Transfer server(s).

Experts warned of exploitation attempts targeting the vulnerability CVE-2024-5806.

WatchTowr researchers published a detailed analysis of the flaw CVE-2024-5806, they added that Progress has been proactively contacting customers for weeks or months to ensure they address the CVE-2024-5806.

“Clearly, this is a serious vulnerability. It is also somewhat difficult to diagnose, given the knowledge of the SSH protocol and a considerable .NET reverse-engineering effort required.” reads the advisory published by WatchTowr. “However, the presence of the Illegal characters in path exception should grab the attention of any other researchers who are searching for the vulnerability, and the relative simplicity of exploitation lends itself to ‘accidental’ discovery.”

Researchers at Shadowserver Foundation also reported observing exploitation attempts for CVE-2024-5806 and urge customers to address it.

Users can track Progress MOVEit Transfer exposed instances through the Shadowserver dashboard. At the time of this writing, there are more than 1,700 internet-facing instances, most of them in the US.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Progress MOVEit Transfer)

you might also like

leave a comment