Security
Headlines
HeadlinesLatestCVEs

Headline

Fresh MOVEit Bug Under Attack Mere Hours After Disclosure

The high-severity CVE-2024-5806 allows cyberattackers to authenticate to the file-transfer platform as any valid user, with accompanying privileges.

DARKReading
#vulnerability#ios#samba#auth#ssh

A high-severity security vulnerability in Progress Software’s MOVEit Transfer software could allow cyberattackers to get around the platform’s authentication mechanisms — and it’s being actively exploited in the wild just hours after it was made public.

MOVEit Transfer is an application for file sharing and collaboration in large-scale enterprises; it was infamously targeted last year in a rash of Cl0p ransomware attacks that affected at least 160 victims, including British Airways, the state of Maine, Siemens, UCLA, and more. The level of mass exploitation was such that it materially affected the results of this year’s “Data Breach Investigations Report” (DBIR) from Verizon.

The new bug (CVE-2024-5806, CVSS: 7.4) is an improper authentication vulnerability in MOVEit’s SFTP module that “can lead to authentication bypass in limited scenarios,” according to Progress’ security advisory on the issue today, which also includes patching information. It affects versions from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, and from 2024.0.0 before 2024.0.2 of MOVEit Transfer.

Admins should patch the issue immediately — not only is MOVEit on cybercriminals’ radar screens after the events of last year, but the ability to access internal files at Fortune 1000 companies is a juicy plum for any espionage-minded advanced persistent threat (APT). And, according to a short note from the nonprofit Shadowserver Foundation, “very shortly after vulnerability details were published today we started observing Progress MOVEit Transfer CVE-2024-5806 POST /guestaccess.aspx exploit attempts.” It also reported that there are at least 1,800 exposed instances online (though not all of them are vulnerable).

Progress didn’t provide any details on the bug, but researchers at watchTowr, who called the vulnerability “truly bizarre,” have been able to determine two attack scenarios. In one case, an attacker could perform “forced authentication” using a malicious SMB server and a valid username (enabled by a dictionary-attack approach).

In another, more dangerous attack, a threat actor could impersonate any user on the system. "[We can] upload our SSH public key to the server without even logging in, and then use that key material to allow us to authenticate as anyone we want," according to watchTowr’s post. “From here, we can do anything the user can do — including reading, modifying, and deleting previously protected and likely sensitive data.”

About the Author(s)

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Related news

We’re not talking about cryptocurrency as much as we used to, but there are still plenty of scammers out there

A report in March found that 72% of cryptocurrency projects had died since 2020, with crypto trading platform FTX’s downfall taking out many of them in one fell swoop.

MOVEit Transfer Flaws Push Security Defense Into a Race With Attackers

While Progress has released patches for the vulnerabilities, attackers are trying to exploit them before organizations have a chance to remediate.

New MOVEit Transfer Vulnerability Under Active Exploitation - Patch ASAP!

A newly disclosed critical security flaw impacting Progress Software MOVEit Transfer is already seeing exploitation attempts in the wild shortly after details of the bug were publicly disclosed. The vulnerability, tracked as CVE-2024-5806 (CVSS score: 9.1), concerns an authentication bypass that impacts the following versions - From 2023.0.0 before 2023.0.11 From 2023.1.0 before 2023.1.6, and&

DARKReading: Latest News

US Ban on TP-Link Routers More About Politics Than Exploitation Risk