CVE-2024-5805 & CVE-2024-5806: Authentication Bypass Vulnerabilities in Progress MOVEit Transfer and MOVEit Gateway

Share :

On June 25, 2024, Progress disclosed two vulnerabilities affecting MOVEit Transfer and MOVEit Gateway: 

CVE-2024-5805: A critical severity authentication bypass vulnerability affecting MOVEit Gateway (SFTP module). MOVEit Gateway is a proxy for MOVEit Transfer, designed to securely handle inbound connections when deployed behind a firewall. 

CVE-2024-5806: A high severity authentication bypass vulnerability affecting MOVEit Transfer, which Progress has stated can be exploited in ‘limited’ scenarios. Alongside the Progress’s disclosure, Watchtowr published their own technical research article demonstrating through a proof of concept that the attack complexity of the vulnerability is lower than suggested by Progress. In their research, a third-party vulnerability was also discovered in the IPWorks SSH library, which is utilized by the MOVEit product. Due to the library being integral to the functionality of MOVEit, the risk of CVE-2024-5806 is elevated. 

  • Exploitation for CVE-2024-5806 requires that threat actors know an existing username, the target account is capable of remote authentication, and the SFTP service is exposed; however, it is not difficult for threat actors to conduct spraying attacks to obtain valid accounts. 

A security vendor began observing exploitation attempts against their honeypots for CVE-2024-5806 shortly after the vulnerability was disclosed. Threat actors are likely to further target this vulnerability soon due to the availability of publicly accessible exploit code and the potential access it can provide. One of the most notable cyber incidents in 2023 involved the Cl0p ransomware group exploiting a different MOVEit Transfer vulnerability (CVE-2023-34362) to target over 2,000 organizations globally. 

Recommendations for CVE-2024-5805 & CVE-2024-5806

Recommendation #1: Upgrade to Latest Fixed Versions

Arctic Wolf strongly recommends upgrading to the latest fixed versions. Progress states the full installer must be used when performing the upgrades, and there will be a system outage while the upgrade is running. 

Product  Vulnerability  Affected Version  Fixed Version 
Progress MOVEit Transfer  CVE-2024-5806  Versions before 2023.0.11  2023.0.11 
Versions before 2023.1.6  2023.1.6 
Versions before 2024.0.2  2024.0.2 
Progress MOVEit Gateway (SFTP Module)  CVE-2024-5805  Versions before 2024.0.0  2024.0.1 
  • Customers using the MOVEit Cloud environment were patched and are no longer vulnerable to CVE-2024-5806. 

Recommendation #2: Mitigate Third-Party (IPWorks SSH) Vulnerability

Although the patch released by Progress on June 11th successfully remediates the issue identified in CVE-2024-5806, the newly disclosed third-party vulnerability in IPWorks SSH presents a new risk. 

Progress recommends taking the following steps to mitigate the third-party vulnerability: 

  • Verify you have blocked public inbound RDP access to MOVEit Transfer server(s) 
  • Limit outbound access to only known trusted endpoints from MOVEit Transfer server(s) 

When the third-party vendor releases a fix, Progress has stated it will be available to MOVEit Transfer customers. 


Picture of Andres Ramos

Andres Ramos

Andres Ramos is a Threat Intelligence Researcher at Arctic Wolf with a strong background in tracking emerging threats and producing actionable intelligence for both technical and non-technical stakeholders. He has a diverse background encompassing various domains of cyber security, holds a degree in Cybersecurity Engineering, and is a CISSP.
Share :
Table of Contents
Subscribe to our Monthly Newsletter