A critical security flaw in Progress Software MOVEit Transfer, identified as CVE-2024-5806 (CVSS score: 9.1), has been disclosed and is already being exploited by threat actors shortly after the bug was made public.
The vulnerability relates to an authentication bypass affecting specific versions:
- From 2023.0.0 before 2023.0.11
- From 2023.1.0 before 2023.1.6
- From 2024.0.0 before 2024.0.2
Progress Software issued an advisory on Tuesday, stating, “Improper authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass.”
Another critical SFTP-related authentication bypass vulnerability (CVE-2024-5805, CVSS score: 9.1) affecting MOVEit Gateway version 2024.0.0 has also been addressed by Progress.
Exploiting these vulnerabilities could enable attackers to bypass SFTP authentication and compromise MOVEit Transfer and Gateway systems.
watchTowr Labs researchers Aliz Hammond and Sina Kheirkhah have provided technical details about CVE-2024-5806, highlighting the potential for impersonating any user on the server.
The flaw comprises two separate vulnerabilities, one in Progress MOVEit and the other in the IPWorks SSH library.
According to Rapid7, leveraging CVE-2024-5806 requires attackers to have knowledge of an existing username, the target account’s ability to authenticate remotely, and public accessibility of the SFTP service over the internet.
Data from Censys as of June 25 indicates approximately 2,700 online MOVEit Transfer instances, with a majority located in the U.S., the U.K., Germany, the Netherlands, Canada, Switzerland, Australia, France, Ireland, and Denmark.
Given the history of abuse in Cl0p ransomware attacks last year (CVE-2023-34362, CVSS score: 9.8), users are advised to promptly update to the latest versions of MOVEit Transfer to mitigate risks associated with these critical vulnerabilities.
In a related development, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) disclosed that its Chemical Security Assessment Tool (CSAT) was targeted earlier this year, exploiting security flaws in the Ivanti Connect Secure (ICS) appliance (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893).
The agency stated that the intrusion may have led to unauthorized access to certain data but found no evidence of data exfiltration.