Urgent Alert: Critical Vulnerability Unveiled in MOVEit Transfer – Apply Patch Immediately!
A critical security vulnerability affecting Progress Software MOVEit Transfer has been disclosed and is currently being exploited in the wild just shortly after the bug details were made public.
The flaw identified as CVE-2024-5806 (CVSS score: 9.1) is an authentication bypass issue that impacts the following software versions –
- Between version 2023.0.0 and version 2023.0.11
- Between version 2023.1.0 and version 2023.1.6, and
- Between version 2024.0.0 and version 2024.0.2
“Progress MOVEit Transfer (SFTP module) contains an improper authentication vulnerability that can result in Authentication Bypass,” announced the company in an advisory issued on Tuesday.
Another critical vulnerability related to SFTP authentication bypass (CVE-2024-5805, CVSS score: 9.1) affecting MOVEit Gateway version 2024.0.0 has also been addressed by Progress.
Exploiting these vulnerabilities could grant unauthorized access to MOVEit Transfer and Gateway systems by bypassing SFTP authentication.
watchTowr Labs has released detailed technical information about CVE-2024-5806, with security experts Aliz Hammond and Sina Kheirkhah highlighting its potential to impersonate any user on the server.
The cybersecurity firm outlined the flaw as consisting of two distinct vulnerabilities, one in Progress MOVEit and the other in the IPWorks SSH library.
“Although the more severe vulnerability, enabling the impersonation of arbitrary users, is specific to MOVEit, the less impactful forced authentication loophole could likely impact all applications utilizing the IPWorks SSH server,” explained the researchers in their report.
Progress Software warned that the weakness in the third-party component “escalates the danger of the original problem” if unaddressed, urging customers to take the following actions –
- Restrict public inbound RDP access to MOVEit Transfer server(s)
- Control outbound access exclusively to known trusted endpoints from MOVEit Transfer server(s)
Rapid7 stated that three conditions must be met to leverage CVE-2024-5806: Attackers must possess knowledge of an existing username, the target account must be capable of remote authentication, and the SFTP service must be publicly reachable over the internet.
As of June 25, Censys data reveals approximately 2,700 online instances of MOVEit Transfer, predominantly in the U.S., the U.K., Germany, the Netherlands, Canada, Switzerland, Australia, France, Ireland, and Denmark.
Given another critical vulnerability in MOVEit Transfer exploited last year in various Cl0p ransomware attacks (CVE-2023-34362, CVSS score: 9.8), it is imperative for users to promptly update to the latest versions.
This development coincides with the disclosure by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) that its Chemical Security Assessment Tool (CSAT) encountered an attack in January by exploiting security vulnerabilities in the Ivanti Connect Secure (ICS) appliance (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893).
“This intrusion may have led to potential unauthorized access to Top-Screen surveys, Security Vulnerability Assessments, Site Security Plans, Personnel Surety Program (PSP) submissions, and CSAT user accounts,” revealed the agency in its statement, clarifying that no data exfiltration was detected.
About Author
