Advisory June 27, 2024

MOVEit Critical Vulnerabilities

The Obrela Threat Intelligence Team

Two authentication bypass vulnerabilities have been discovered in MOVEit. The vulnerability with CVE-2024-5806 affects MOVEit Transfer and CVE-2024-5805 affects MOVEit Gateway. Both vulnerabilities have a Critical CVSS 3 Base Score of 9.1 out of 10.

Description:

CVE-2024-5806 is an authentication bypass vulnerability in the SSH File Transfer Protocol (SFTP) module of Progress MOVEit Transfer. Exploiting this vulnerability allows attackers to access sensitive information stored on the MOVEit Transfer server and potentially modify, delete, or edit it.

Exploitation is possible only in “limited scenarios,” though specific details on these scenarios are not provided.

Proof-of-concept exploit code has already been publicly released by watchTowr and vulnerability researchers Sina Kheirkhah and Aliz Hammond. With this information now available, attacks are expected to escalate rapidly, making it crucial for organizations to quickly apply the relevant security updates and mitigations.

CVE-2024-5805 is an improper authentication vulnerability affecting Progress MOVEit Gateway. The vulnerability allows authentication bypass in the SFTP module of MOVEit Gateway.

Affected Versions:

CVE-2024-5806 and CVE-2024-5805 affect multiple versions as seen below:

  • 2023.0.0 before 2023.0.11
  • 2023.1.0 before 2023.1.6
  • 2024.0.0 before 2024.0.22
  • 2024.0.0

 Recommendations:

To mitigate these critical vulnerabilities, all organizations should promptly apply relevant security updates.

The updated versions are the following:

  • 2023.0.11
  • 2023.1.6
  • 2024.0.2

MOVEit Cloud customers do not need to take any action to address the critical flaw, as patches have already been automatically applied.

Progress also discovered a separate vulnerability on a third-party component used in MOVEit Transfer, which increases the risk of CVE-2024-5806. No update is available yet. To mitigate this flaw until an update is released, system administrators should block Remote Desktop Protocol (RDP) access to the MOVEit Transfer servers and restrict outbound connections to known/trusted endpoints.

cyber shield, security

References: