Active Exploitation of New MOVEit Transfer Auth Bypass Flaw Detected

Progress Software has disclosed a critical security vulnerability (CVE-2024-5806) in its MOVEit Transfer product, urging immediate patching as active exploitation has been detected. The flaw, present in the SFTP module, allows for authentication bypass due to improper authentication, affecting several versions of MOVEit Transfer released between 2023 and 2024.

Discovered and reported today, by Progress Software, this vulnerability holds a CVSS score of 9.1, indicating its severe impact. The announcement coincided with watchTowr Labs' detailed analysis, which dissected the flaw and its exploitation potential. Shadowserver Foundation noted that exploit attempts began almost immediately following the publication of the vulnerability details.

Very shortly after vulnerability details were published today we started observing Progress MOVEit Transfer CVE-2024-5806 POST /guestaccess.aspx exploit attempts. If you run MOVEit & have not patched yet – please do so now: https://t.co/AenLgqg1wM

NVD: https://t.co/OHQRNFNE9p

— The Shadowserver Foundation (@Shadowserver) June 25, 2024

MOVEit Transfer is a managed file transfer (MFT) solution utilized by organizations for secure and compliant file sharing. This vulnerability puts at risk any system running versions 2023.0.0 through 2023.0.10, 2023.1.0 through 2023.1.5, and 2024.0.0 through 2024.0.1. Users on the affected versions must upgrade to the latest patched versions, specifically 2023.0.11, 2023.1.6, and 2024.0.2, to mitigate this threat.

watchTowr Labs' investigation reveals that the vulnerability stems from the interplay between MOVEit and the IPWorks SSH library, highlighting issues in error handling and improper validation during the authentication process. The exploitation enables an attacker to bypass authentication by manipulating SSH public key handling, potentially allowing unauthorized access to sensitive data.

Additionally, Censys has reported that around 2,700 MOVEit Transfer instances are currently exposed online, primarily in the United States, echoing exposure levels from the previous year. This persistent exposure underscores the critical need for organizations to promptly apply security patches.

To defend against this vulnerability:

• Move to the latest patched versions (2023.0.11, 2023.1.6, 2024.0.2) as per Progress Software's guidance.
• Follow recommended steps to block public inbound RDP access and limit outbound access to trusted endpoints.
• Check logs for unusual activities, such as failed authentication attempts and unauthorized access errors, indicating potential exploitation attempts.
• Implement strict IP-based restrictions and ensure robust access control mechanisms.

In 2023, the Clop ransomware gang leveraged vulnerabilities in MOVEit Transfer to execute catastrophic and highly impactful attacks. These attacks targeted thousands of high-profile victims worldwide, resulting in significant data theft and destruction. This underlines the critical importance of promptly addressing any newly discovered vulnerabilities in the software to prevent similar incidents.