Progress Discloses Two New Vulnerabilities in MOVEit Products

Written by

Progress Software has disclosed two fresh vulnerabilities in its MOVEit file transfer products.

The first is an authentication bypass affecting the MOVEit Transfer SFTP service in a default configuration (CVE-2024-5806). It affects the Secure File Transfer Protocol (SFTP) service from version 2023.0.0 to 2023.0.11, 2023.1.0 to 2023.1.6 and 2024.0.0 to 2024.0.2.

The second is an SFTP-associated authentication bypass vulnerability affecting MOVEit Gateway from version 2024.0.0 (CVE-2024-5805).

Both have been registered as high-severity flaws, with a CVSS score of 9.1 (critical).

Attackers could exploit these improper authentication vulnerabilities to bypass SFTP authentication and gain access to MOVEit Transfer and Gateway, said a Progress security advisory published on June 25.

Hints of Possible Active Exploitation

Cybersecurity firm Rapid7 analyzed typical exploitation patterns in a recent blog post.

To successfully exploit these new vulnerabilities, threat actors need to meet three criteria:

  • Having an existing username
  • Being able to authenticate remotely
  • That the targeted SFTP service is exposed

“It’s possible that attackers may spray usernames to identify valid accounts,” Radpid7 researchers added.

Rapid7 also observed that installers for the patched (latest) version of the MOVEit Transfer have been available on VirusTotal since at least June 11, 2024.

Vulnerability details and proof-of-concept exploit code are publicly available for CVE-2024-5806.

Additionally, the Shadowserver Foundation has reported exploit attempts against its honeypots as of the evening of June 25.

Rapid7 recommended installing the patches provided by Progress for CVE-2024-5806 on an emergency basis, without waiting for a regular patch cycle.

This new incident comes months after a series of vulnerabilities in the MOVEit product range were detected, which led to numerous software attempted supply chain attacks in 2023, many of which were successful and impacted organizations worldwide.

What’s hot on Infosecurity Magazine?