On June 25, 2024, Progress disclosed two vulnerabilities affecting MOVEit Transfer and MOVEit Gateway:
CVE-2024-5805: A critical severity authentication bypass vulnerability affecting MOVEit Gateway (SFTP module). MOVEit Gateway is a proxy for MOVEit Transfer, designed to securely handle inbound connections when deployed behind a firewall.
CVE-2024-5806: A high severity authentication bypass vulnerability affecting MOVEit Transfer, which Progress has stated can be exploited in ‘limited’ scenarios. Alongside the Progress’s disclosure, Watchtowr published their own technical research article demonstrating through a proof of concept that the attack complexity of the vulnerability is lower than suggested by Progress. In their research, a third-party vulnerability was also discovered in the IPWorks SSH library, which is utilized by the MOVEit product. Due to the library being integral to the functionality of MOVEit, the risk of CVE-2024-5806 is elevated.
- Exploitation for CVE-2024-5806 requires that threat actors know an existing username, the target account is capable of remote authentication, and the SFTP service is exposed; however, it is not difficult for threat actors to conduct spraying attacks to obtain valid accounts.
A security vendor began observing exploitation attempts against their honeypots for CVE-2024-5806 shortly after the vulnerability was disclosed. Threat actors are likely to further target this vulnerability soon due to the availability of publicly accessible exploit code and the potential access it can provide. One of the most notable cyber incidents in 2023 involved the Cl0p ransomware group exploiting a different MOVEit Transfer vulnerability (CVE-2023-34362) to target over 2,000 organizations globally.
Recommendations for CVE-2024-5805 & CVE-2024-5806
Recommendation #1: Upgrade to Latest Fixed Versions
Arctic Wolf strongly recommends upgrading to the latest fixed versions. Progress states the full installer must be used when performing the upgrades, and there will be a system outage while the upgrade is running.
| Product | Vulnerability | Affected Version | Fixed Version |
| Progress MOVEit Transfer | CVE-2024-5806 | Versions before 2023.0.11 | 2023.0.11 |
| Versions before 2023.1.6 | 2023.1.6 | ||
| Versions before 2024.0.2 | 2024.0.2 | ||
| Progress MOVEit Gateway (SFTP Module) | CVE-2024-5805 | Versions before 2024.0.0 | 2024.0.1 |
- Customers using the MOVEit Cloud environment were patched and are no longer vulnerable to CVE-2024-5806.
Recommendation #2: Mitigate Third-Party (IPWorks SSH) Vulnerability
Although the patch released by Progress on June 11th successfully remediates the issue identified in CVE-2024-5806, the newly disclosed third-party vulnerability in IPWorks SSH presents a new risk.
Progress recommends taking the following steps to mitigate the third-party vulnerability:
- Verify you have blocked public inbound RDP access to MOVEit Transfer server(s)
- Limit outbound access to only known trusted endpoints from MOVEit Transfer server(s)
When the third-party vendor releases a fix, Progress has stated it will be available to MOVEit Transfer customers.
References
- Watchtowr Research Article
- Progress Security Bulletin (CVE-2024-5805)
- Progress Security Bulletin (CVE-2024-5806)
- Exploitation Attempts (CVE-2024-5806)
