Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

CVE-2024-5806: Progress MOVEit Transfer Authentication Bypass Vulnerability

Tenable Research Blog Header Proof of Concept Available

Progress Software has patched a high severity authentication bypass in the MOVEit managed file transfer (MFT) solution. As MOVEit has been a popular target for ransomware gangs and other threat actors, we strongly recommend prioritizing patching of this vulnerability.

Update June 26: The Analysis section has been updated to include information about exploitation attempts.

View Change Log

Background

On June 25, Progress published an advisory for a vulnerability in MOVEit Transfer, a secure managed file transfer (MFT) solution:

CVEDescriptionCVSSv3
CVE-2024-5806MOVEit Transfer Authentication Bypass Vulnerability7.4

Analysis

CVE-2024-5806 is an authentication bypass vulnerability affecting the SSH File Transfer Protocol (SFTP) module in Progress MOVEit Transfer. According to the advisory, this vulnerability is only exploitable in “limited scenarios,” however no further information was available on what those scenarios may be. A technical analysis of this vulnerability by researchers at watchTowr provides more analysis on how they recreated the vulnerability and we recommend reviewing their blog post for additional insight and indicators of compromise (IoCs) for defenders.

Past Exploitation of MOVEit Transfer

On May 27, 2023, the ransomware group known as CLOP (or TA505) began mass exploitation of MOVEit Transfer MFT’s by exploiting a then zero-day SQL injection vulnerability (CVE-2023-34362). Hundreds of organizations were impacted by these attacks, with data breach reports tallying millions of affected individuals in the weeks and months after the attacks were identified and disclosed. With MFTs offering a treasure trove of sensitive information, opportunistic attackers have targeted them in order to steal sensitive data and extort victims. Additional MFT related attacks by the nefarious Cl0p ransomware group also include the exploitation of Accellion’s File Transfer Appliance (FTA) in 2020 and Fortra’s GoAnywhere MFT in January 2023.

The attacks by Cl0p gained attention from The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) who issued a joint cybersecurity advisory for CVE-2023-34362 (AA23-158A) on June 7, 2023 as part of their #StopRansowmare campaign.

Given the mass exploitation of MOVEit Transfer in the past, we highly recommend taking action to patch this vulnerability as soon as possible.

Exploitation attempts have been observed

In a post on X (formerly Twitter), The Shadowserver Foundation noted that they began seeing exploitation attempts shortly after details emerged for CVE-2024-5806.

Proof of concept

On June 25, researchers at watchTowr published a detailed technical writeup alongside exploit code that demonstrates this vulnerability. According to watchTowr, there are some barriers for exploitation, such as the attacker needing to know a valid username on the system and being able to bypass any IP-based restrictions that an organization may have in place. watchTowr notes that Progress has made many attempts, under embargo, to contact affected customers in order to ensure they had adequate time to apply patches prior to the security advisory being made public.

watchTowr blog screenshot

Credit: watchTowr blog

Solution

Progress has released fixed versions of MOVEit Transfer. The following table reflects the affected and patched versions:

Affected VersionsPatched Version
2023.0.0 before 2023.0.112023.0.11
2023.1.0 before 2023.1.62023.1.6
2024.0.0 before 2024.0.22024.0.2

According to the advisory from Progress, customers using MOVEit Cloud environments have already been patched and are not “vulnerable to this exploit.”

Identifying affected systems

A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2024-5806 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Change Log

Update June 26: The Analysis section has been updated to include information about exploitation attempts.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.