CVE-2024-5806: Progress MOVEit Transfer Authentication Bypass Vulnerability
Progress Software has patched a high severity authentication bypass in the MOVEit managed file transfer (MFT) solution. As MOVEit has been a popular target for ransomware gangs and other threat actors, we strongly recommend prioritizing patching of this vulnerability.
Update June 26: The Analysis section has been updated to include information about exploitation attempts.
Background
On June 25, Progress published an advisory for a vulnerability in MOVEit Transfer, a secure managed file transfer (MFT) solution:
| CVE | Description | CVSSv3 |
|---|---|---|
| CVE-2024-5806 | MOVEit Transfer Authentication Bypass Vulnerability | 7.4 |
Analysis
CVE-2024-5806 is an authentication bypass vulnerability affecting the SSH File Transfer Protocol (SFTP) module in Progress MOVEit Transfer. According to the advisory, this vulnerability is only exploitable in “limited scenarios,” however no further information was available on what those scenarios may be. A technical analysis of this vulnerability by researchers at watchTowr provides more analysis on how they recreated the vulnerability and we recommend reviewing their blog post for additional insight and indicators of compromise (IoCs) for defenders.
Past Exploitation of MOVEit Transfer
On May 27, 2023, the ransomware group known as CLOP (or TA505) began mass exploitation of MOVEit Transfer MFT’s by exploiting a then zero-day SQL injection vulnerability (CVE-2023-34362). Hundreds of organizations were impacted by these attacks, with data breach reports tallying millions of affected individuals in the weeks and months after the attacks were identified and disclosed. With MFTs offering a treasure trove of sensitive information, opportunistic attackers have targeted them in order to steal sensitive data and extort victims. Additional MFT related attacks by the nefarious Cl0p ransomware group also include the exploitation of Accellion’s File Transfer Appliance (FTA) in 2020 and Fortra’s GoAnywhere MFT in January 2023.
The attacks by Cl0p gained attention from The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) who issued a joint cybersecurity advisory for CVE-2023-34362 (AA23-158A) on June 7, 2023 as part of their #StopRansowmare campaign.
Given the mass exploitation of MOVEit Transfer in the past, we highly recommend taking action to patch this vulnerability as soon as possible.
Exploitation attempts have been observed
In a post on X (formerly Twitter), The Shadowserver Foundation noted that they began seeing exploitation attempts shortly after details emerged for CVE-2024-5806.
Very shortly after vulnerability details were published today we started observing Progress MOVEit Transfer CVE-2024-5806 POST /guestaccess.aspx exploit attempts. If you run MOVEit & have not patched yet - please do so now: https://t.co/AenLgqg1wM
NVD: https://t.co/OHQRNFNE9p— The Shadowserver Foundation (@Shadowserver) June 25, 2024
Proof of concept
On June 25, researchers at watchTowr published a detailed technical writeup alongside exploit code that demonstrates this vulnerability. According to watchTowr, there are some barriers for exploitation, such as the attacker needing to know a valid username on the system and being able to bypass any IP-based restrictions that an organization may have in place. watchTowr notes that Progress has made many attempts, under embargo, to contact affected customers in order to ensure they had adequate time to apply patches prior to the security advisory being made public.
Credit: watchTowr blog
Solution
Progress has released fixed versions of MOVEit Transfer. The following table reflects the affected and patched versions:
| Affected Versions | Patched Version |
|---|---|
| 2023.0.0 before 2023.0.11 | 2023.0.11 |
| 2023.1.0 before 2023.1.6 | 2023.1.6 |
| 2024.0.0 before 2024.0.2 | 2024.0.2 |
According to the advisory from Progress, customers using MOVEit Cloud environments have already been patched and are not “vulnerable to this exploit.”
Identifying affected systems
A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2024-5806 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.
Change Log
Update June 26: The Analysis section has been updated to include information about exploitation attempts.
Get more information
- Security Advisory: MOVEit Transfer Product Security Alert Bulletin for CVE-2024-5806
- watchTowr Blog: Auth. Bypass In (Un)Limited Scenarios - Progress MOVEit Transfer (CVE-2024-5806)
- Tenable Blog: CVE-2023-34362: MOVEIt Transfer Critical Zero-Day Vulnerability Exploited in the Wild
- Tenable Blog: FAQ for MOVEit Transfer Vulnerabilities and CL0P Ransomware Gang
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Related Articles
Cybersecurity Snapshot: Memory Bugs Pervasive in Open Source SW, While Car Dealership Chaos Persists After Ransomware Attack
June 28, 2024Check out why memory vulnerabilities are widespread in open source projects. Plus, get the latest on the ransomware attack that’s disrupted car sales in North America. In addition, find out why a majority of organizations grew their cyber budgets this year. And learn how confidential data from U.S. chemical facilities may have been accessed by hackers. And much more!
CVE-2024-28995: SolarWinds Serv-U Path/Directory Traversal Vulnerability Exploited in the Wild
June 21, 2024Following the publication of proof-of-concept exploit details for a high-severity flaw in SolarWinds Serv-U, researchers have observed both automated and manual in-the-wild exploitation attempts; patching is strongly advised.
Cybersecurity Snapshot: FTC Believes TikTok Broke U.S. Law, Asks Justice Dept. To Intervene, while French Cyber Agency Warns About Nobelium / Midnight Blizzard
June 21, 2024TikTok’s legal troubles in the U.S. could get thornier after the FTC refers complaint to the DOJ. Meanwhile, France says Russia-backed Nobelium / Midnight Blizzard is a major cyber espionage threat to European governments. Plus, check out a Tenable poll about dealing with vulnerabilities without patches. And did LockBit 3.0 make a comeback in May? Maybe – or maybe not. And much more!
Cybersecurity Snapshot: Memory Bugs Pervasive in Open Source SW, While Car Dealership Chaos Persists After Ransomware Attack
June 28, 2024Check out why memory vulnerabilities are widespread in open source projects. Plus, get the latest on the ransomware attack that’s disrupted car sales in North America. In addition, find out why a majority of organizations grew their cyber budgets this year. And learn how confidential data from U.S. chemical facilities may have been accessed by hackers. And much more!
Tag, You’re IT! Tagging Your Way to Cloud Security Excellence
June 26, 2024To manage your cloud resources effectively and securely, you need to consistently tag assets across all your cloud platforms. Here we explain tagging’s main benefits, as well as proven strategies and best practices for tagging success.
CVE-2024-5806: Progress MOVEit Transfer Authentication Bypass Vulnerability
June 25, 2024Progress Software has patched a high severity authentication bypass in the MOVEit managed file transfer (MFT) solution. As MOVEit has been a popular target for ransomware gangs and other threat actors, we strongly recommend prioritizing patching of this vulnerability.
- Exposure Management
- Vulnerability Management
- Exposure Management
- Vulnerability Management