A critical security vulnerability, CVE-2024-5806, has been identified in MOVEit Transfer, a widely used managed file transfer software, posing significant risks to organizations relying on it for secure data transfers.
The vulnerability stems from improper validation of user-supplied input during the authentication process. It can be exploited by sending specially crafted requests to the MOVEit Transfer server, bypassing authentication checks and gaining administrative access. Affected versions include MOVEit Transfer 2023.0.0 to 2023.0.10, 2023.1.0 to 2023.1.5, and 2024.0.0 to 2024.0.1.
Progress strongly urges all MOVEit Transfer customers using the affected versions to immediately upgrade to the latest patched versions, which are:
- MOVEit Transfer 2023.0.11
- MOVEit Transfer 2023.1.6
- MOVEit Transfer 2024.0.2
Researchers at Rapid7 have confirmed they could reproduce the exploit and achieve an authentication bypass against vulnerable, unpatched versions of MOVEit Transfer and MOVEit Gateway. The improper authentication vulnerability in MOVEit Transfer’s SFTP module allows attackers to bypass authentication mechanisms and gain unauthorized access to the system, potentially leading to data breaches, theft of sensitive information, and other malicious activities.
Researchers at watchTowr initially disclosed the vulnerability and published a detailed technical analysis. To mitigate the risk, customers are advised to upgrade to the patched versions of MOVEit Transfer using the full installer, noting that the upgrade process will cause a system outage while running.
This vulnerability does not affect MOVEit Cloud customers, as the patch has already been deployed to the cloud infrastructure. MOVEit Cloud is also safeguarded against third-party vulnerabilities through strict access controls on the underlying infrastructure.
To mitigate the third-party vulnerability, Progress recommends the following steps:
- Verify that public inbound RDP access to MOVEit Transfer servers is blocked.
- Limit outbound access from MOVEit Transfer servers to only known trusted endpoints.
- Progress will make the third-party vendor’s fix available to MOVEit Transfer customers once released. The company has acknowledged the severity of CVE-2024-5806 and is working closely with customers to ensure the vulnerability is addressed swiftly, providing detailed guidance on applying the patch and securing affected systems.
Progress encourages customers to sign up for the Progress Alert and Notification Service (PANS) to receive email notifications for future product and security updates. Customers can log into the Progress Community Portal to subscribe to PANS and refer to Progress’s FAQ page for information and frequently asked questions about Progress Alert Notifications.
