Hackers Start Attempting Exploitation of Critical MOVEit Transfer Vulnerability
Progress Software has recently disclosed two flaws in its MOVEit Transfer managed file transfer solution, and one flaw in MOVEit Gateway. The first attempts at exploitation were detected within a day of the public disclosures. All three of the flaws are authentication bypass issues and successful exploitation would allow unauthorized individuals to gain access to sensitive data.
The MOVEIt Transfer flaws affect the following MOVEit versions:
- 2023.0.0 before 2023.0.11
- 2023.1.0 before 2023.1.6
- 2024.0.0 before 2024.0.2
The most serious MOVEit Transfer vulnerability is a critical flaw tracked as CVE-2024-5805 which has a CVSS score of 9.1. The second flaw is tracked as CVE-2024-5806 and is rated high-severity with a CVSS score of 7.4. The second vulnerability is in a third-party component of MOVEit Transfer and a patch for that vulnerability has not yet been released.
Progress Software said it notified customers about the flaws on June 11, 2024, and patched the CVE-2024-5805 vulnerability in versions 2023.0.11, 2023.1.6, and 2024.0.2, which are available for download on the Progress Community portal. The vulnerability has already been patched in MOVEit Cloud, so no action is required to mitigate the flaw. The MOVEit Gateway flaw affects version 2024.0.0 and has a CVSS score of 9.1. The vulnerability has been fixed in version 2024.0.1.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The security company watchTowr was notified about the CVE-2024-5805 vulnerability and conducted its own investigation. After Progress Software lifted the embargo on the vulnerability on June 25, 2024, the researchers published technical details about the CVE-2024-5805 flaw, including how it can be exploited along with proof-of-concept (PoC) exploit code. PoC exploits have also been released by other security researchers.
Hackers have started trying to attack vulnerable endpoints so immediate patching is required if customers have not yet updated the latest version. Since a patch for the third-party flaw has yet to be released by the vendor, action is required to prevent exploitation. Progress Software recommends blocking Remote Desktop Protocol (RDP) access to MOVEit Transfer servers and restricting outbound connections to known and trusted endpoints.
While the vulnerabilities do not appear to be as serious as the 2023 vulnerability in MOVEit Transfer that was exploited by the Clop group on more than 2,700 publicly exposed MOVEIt Transfer servers, updating to the patched version and applying the recommended mitigations should not be delayed. According to Jared Semrau, senior manager of vulnerability and exploitation at Mandiant Intelligence, it would be trivial for an attacker to exploit the CVE-2024-5805 vulnerability if they had an address for a vulnerable MOVEit instance and a valid username.
On June 27, 2024, The Health Sector Cybersecurity Coordination Center issued a sector alert about the vulnerabilities, which can be viewed here.
