Fresh MOVEit Bug Under Attack Mere Hours After Disclosure

A high-severity security vulnerability in Progress Software’s MOVEit Transfer software could allow cyberattackers to get around the platform’s authentication mechanisms — and it’s being actively exploited in the wild just hours after it was made public.

MOVEit Transfer is an application for file sharing and collaboration in large-scale enterprises; it was infamously targeted last year in a rash of Cl0p ransomware attacks that affected at least 160 victims, including British Airways, the state of Maine, Siemens, UCLA, and more. The level of mass exploitation was such that it materially affected the results of this year’s “Data Breach Investigations Report” (DBIR) from Verizon.

The new bug (CVE-2024-5806, CVSS: 7.4) is an improper authentication vulnerability in MOVEit’s SFTP module that “can lead to authentication bypass in limited scenarios,” according to Progress’ security advisory on the issue today, which also includes patching information. It affects versions from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, and from 2024.0.0 before 2024.0.2 of MOVEit Transfer.

Admins should patch the issue immediately — not only is MOVEit on cybercriminals’ radar screens after the events of last year, but the ability to access internal files at Fortune 1000 companies is a juicy plum for any espionage-minded advanced persistent threat (APT). And, according to a short note from the nonprofit Shadowserver Foundation, “very shortly after vulnerability details were published today we started observing Progress MOVEit Transfer CVE-2024-5806 POST /guestaccess.aspx exploit attempts.” It also reported that there are at least 1,800 exposed instances online (though not all of them are vulnerable).

Progress didn’t provide any details on the bug, but researchers at watchTowr, who called the vulnerability “truly bizarre,” have been able to determine two attack scenarios. In one case, an attacker could perform “forced authentication” using a malicious SMB server and a valid username (enabled by a dictionary-attack approach).

In another, more dangerous attack, a threat actor could impersonate any user on the system. "[We can] upload our SSH public key to the server without even logging in, and then use that key material to allow us to authenticate as anyone we want," according to watchTowr’s post. “From here, we can do anything the user can do — including reading, modifying, and deleting previously protected and likely sensitive data.”

About the Author(s)

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.