BREAKING AT&T Data Breach: ‘Nearly All’ Wireless Customers Exposed in Massive Hack
Connect with us

Hi, what are you looking for?



Exploitation Attempts Target New MOVEit Transfer Vulnerability

Exploitation attempts targeting CVE-2024-5806, a critical MOVEit Transfer vulnerability patched recently, have started.

MOVEit exploit

Progress Software this week publicly announced patches for two critical authentication bypass vulnerabilities affecting its MOVEit Transfer file transfer software, and exploitation attempts have already been seen for one of them.

Separate advisories published by Progress on June 25 inform customers about CVE-2024-5805 and CVE-2024-5806, both described as improper authentication issues in the MOVEit Transfer product’s SFTP module. Their exploitation can allow an attacker to bypass authentication.

CVE-2024-5806 has been patched with the release of MOVEit Transfer versions 2023.0.11, 2023.1.6, and 2024.0.2. CVE-2024-5805 only impacts 2024.0.0 and it has been fixed with the release of version 2024.0.1. 

Progress noted in its advisory for CVE-2024-5806 that a newly identified third-party component vulnerability elevates the risk for this CVE. The company has shared some mitigations for this third-party flaw until a patch becomes available. Mitigations include blocking public inbound RDP access and limiting outbound access to trusted endpoints. 

Also on June 25, cybersecurity firm WatchTowr made public technical details for CVE-2024-5806 and showed how an attacker could exploit it to gain access to a vulnerable system. The company noted that the vendor had been privately urging customers to patch the vulnerability for weeks. 

However, WatchTowr also described a second vulnerability, one affecting the IPWorks SSH server library used by MOVEit Transfer. This library is impacted by a forced authentication vulnerability that likely affects all applications using it, potentially allowing attackers to achieve a full system compromise. 

This IPWorks SSH library is likely the third-party component referenced in Progress’ advisory.  

“We do not expect anyone to still be vulnerable due to the embargo, and the efforts taken proactively by Progress to ensure customers deployed patches,” WatchTowr said.

Advertisement. Scroll to continue reading.

However, the non-profit cybersecurity organization Shadowserver Foundation reported seeing exploitation attempts targeting CVE-2024-5806 shortly after details were made public.  

Rapid7 noted in a blog post on Tuesday that Shadowserver has seen exploitation attempts in its honeypots, but “honeypot activity does not always correlate to threat activity in real-world production environments”.

Honeypots can capture activity whose goal is to identify potentially vulnerable systems. Such scanning may be conducted by malicious actors who are planning attacks, but also by the cybersecurity community. 

Shadowserver is seeing roughly 1,700 internet-exposed MOVEit Transfer instances, a majority in North America. 

An analysis by Censys showed 2,700 MOVEit Transfer instances online, a majority in the United States, followed by the United Kingdom and Germany. 

Censys pointed out that the number of exposed instances is roughly the same as in June 2023, when the Cl0p ransomware group exploited a MOVEit Transfer zero-day vulnerability tracked as CVE-2023-34362 to steal data from dozens of major organizations. 

CISA recently warned organizations about attacks targeting a flaw in Progress Software’s Telerik Report Server.

Related: SEC Investigating Progress Software Over MOVEit Hack

Related: Critical Vulnerability in Progress Flowmon Allows Remote Access to Systems

Related: CrushFTP Patches Exploited Zero-Day Vulnerability

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

ICS and OT cybersecurity solutions provider TXOne Networks appoints Stephen Driggers as new CRO

Identity orchestration provider Strata Identity appoints Aldo Pietropaolo as Field CTO

Cybersecurity provider for the aviation industry Cyviation has appointed Eliran Almog as Chief Executive Officer.

More People On The Move

Expert Insights