A critical security flaw affecting Progress Software MOVEit Transfer has been disclosed and is already being exploited in the wild shortly after the bug’s details were made public.
This vulnerability, identified as CVE-2024-5806 with a CVSS score of 9.1, is an authentication bypass issue that impacts several versions listed below:
- From 2023.0.0 before 2023.0.11
- From 2023.1.0 before 2023.1.6, and
- From 2024.0.0 before 2024.0.2
According to an advisory released by Progress, the flaw in Progress MOVEit Transfer (SFTP module) poses a risk of Authentication Bypass.
Additionally, Progress has also fixed another critical authentication bypass vulnerability (CVE-2024-5805, CVSS score: 9.1) in MOVEit Gateway version 2024.0.0.
Successful exploitation of these vulnerabilities could allow attackers to bypass SFTP authentication and access MOVEit Transfer and Gateway systems.
watchTowr Labs researchers have provided detailed technical information about CVE-2024-5806, pointing out that it could be used to impersonate any user on the server.
The company described the flaw as consisting of two separate vulnerabilities, one in Progress MOVEit and the other in the IPWorks SSH library.
Progress Software has emphasized that leaving the third-party component unpatched increases the risk associated with the original issue and has recommended two steps for customers to follow:
- Block public inbound RDP access to MOVEit Transfer server(s)
- Limit outbound access to only known trusted endpoints from MOVEit Transfer server(s)
Rapid7 has outlined three prerequisites for leveraging CVE-2024-5806, including knowledge of an existing username, remote authentication for the target account, and public accessibility of the SFTP service over the internet.
As of June 25, Censys data indicates that there are approximately 2,700 MOVEit Transfer instances online, with the majority located in various countries around the world.
Given the history of attacks exploiting critical issues in MOVEit Transfer, it is crucial for users to promptly update to the latest versions.
In related news, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) disclosed a recent incident involving unauthorized access to its Chemical Security Assessment Tool (CSAT) due to security flaws in the Ivanti Connect Secure (ICS) appliance.
The agency stated that although the intrusion occurred, there is no evidence of data exfiltration.
