Progress Software this week publicly announced patches for two critical authentication bypass vulnerabilities affecting its MOVEit Transfer file transfer software, and exploitation attempts have already been seen for one of them.
Separate advisories published by Progress on June 25 inform customers about CVE-2024-5805 and CVE-2024-5806, both described as improper authentication issues in the MOVEit Transfer product’s SFTP module. Their exploitation can allow an attacker to bypass authentication.
CVE-2024-5806 has been patched with the release of MOVEit Transfer versions 2023.0.11, 2023.1.6, and 2024.0.2. CVE-2024-5805 only impacts 2024.0.0 and it has been fixed with the release of version 2024.0.1.
Progress noted in its advisory for CVE-2024-5806 that a newly identified third-party component vulnerability elevates the risk for this CVE. The company has shared some mitigations for this third-party flaw until a patch becomes available. Mitigations include blocking public inbound RDP access and limiting outbound access to trusted endpoints.
Also on June 25, cybersecurity firm WatchTowr made public technical details for CVE-2024-5806 and showed how an attacker could exploit it to gain access to a vulnerable system. The company noted that the vendor had been privately urging customers to patch the vulnerability for weeks.
However, WatchTowr also described a second vulnerability, one affecting the IPWorks SSH server library used by MOVEit Transfer. This library is impacted by a forced authentication vulnerability that likely affects all applications using it, potentially allowing attackers to achieve a full system compromise.
This IPWorks SSH library is likely the third-party component referenced in Progress’ advisory.
“We do not expect anyone to still be vulnerable due to the embargo, and the efforts taken proactively by Progress to ensure customers deployed patches,” WatchTowr said.
However, the non-profit cybersecurity organization Shadowserver Foundation reported seeing exploitation attempts targeting CVE-2024-5806 shortly after details were made public.
Rapid7 noted in a blog post on Tuesday that Shadowserver has seen exploitation attempts in its honeypots, but “honeypot activity does not always correlate to threat activity in real-world production environments”.
Honeypots can capture activity whose goal is to identify potentially vulnerable systems. Such scanning may be conducted by malicious actors who are planning attacks, but also by the cybersecurity community.
Shadowserver is seeing roughly 1,700 internet-exposed MOVEit Transfer instances, a majority in North America.
An analysis by Censys showed 2,700 MOVEit Transfer instances online, a majority in the United States, followed by the United Kingdom and Germany.
Censys pointed out that the number of exposed instances is roughly the same as in June 2023, when the Cl0p ransomware group exploited a MOVEit Transfer zero-day vulnerability tracked as CVE-2023-34362 to steal data from dozens of major organizations.
CISA recently warned organizations about attacks targeting a flaw in Progress Software’s Telerik Report Server.
Related: SEC Investigating Progress Software Over MOVEit Hack
Related: Critical Vulnerability in Progress Flowmon Allows Remote Access to Systems
