Share this article on:
Vulnerabilities could lead to threat actors bypassing SFTP authentication and gaining access to file transfer processes, as exploitation has already been observed.
Progress Software has published a security alert warning of two new vulnerabilities in its file transfer software.
CVE-2024-5805 is rated as a critical SFTP-associated authentication bypass vulnerability in Progress Software’s MOVEit Gateway product, while CVE-2024-5806 is a high-severity authentication bypass issue impacting the MOVEit Transfer SFTP service.
Progress has released fixes for both vulnerabilities and is urging customers to upgrade to the latest versions of each product.
“Upgrading to a patched release, using the full installer, is the only way to remediate this issue,” Progress said of both fixes, warning that while the upgrade is in progress, the system will experience an outage during the process.
Following the vulnerability disclosures, researchers at Rapid7 were able to test a MOVEit Transfer 2023.0.1 instance “which appeared to be vulnerable in the default configuration”.
“As of June 25, the known criteria for exploitation are threefold: that attackers have knowledge of an existing username, that the target account can authenticate remotely, and that the SFTP service is exposed,” Rapid7 said in a blog post.
“It’s possible that attackers may spray usernames to identify valid accounts.”
According to internet-mapping search engine Shodan, there are just over 1,000 public-facing MOVEit Transfer SFTP servers, the vast majority of which are in the United States, although 10 are in Australia. There are about 70 public-facing MOVEit Gateway SFTP servers, though, as Rapid7 noted, not all of these are necessarily vulnerable to these explicit CVEs.
Unfortunately, according to the non-profit cyber security firm the Shadowserver Foundation, hackers are already looking to exploit the vulnerabilities.
“Very shortly after vulnerability details were published today, we started observing Progress MOVEit Transfer CVE-2024-5806 POST /guestaccess.aspx exploit attempts,” the Shadowserver Foundation said in a post on LinkedIn.
“If you run MOVEit & have not patched yet – please do so now.”
In June of 2023, a similar vulnerability in Progress Software’s MOVEit Transfer product was heavily exploited by the Clop ransomware gang. That one vulnerability saw more than 2,600 companies and organisations impacted, with six from Australia victims, including Medibank, Fortescue, and Shell.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.