Discover the latest critical vulnerabilities in MOVEit Transfer. Learn about CVE-2024-5806 and CVE-2024-5805, their impact, and essential mitigation steps.

Continue reading
Threat actors are actively engaged to exploit a critical authentication bypass vulnerability in Progress MOVEit Transfer, shortly after the flaw was made public by the vendor.
MOVEit Transfer is a managed file transfer (MFT) solution utilized in enterprise settings to securely transfer files using protocols such as SFTP, SCP, and HTTP.
These vulnerabilities, notably CVE-2024-5806 and CVE-2024-5805, have severe implications for data security across various industries.
This Threatfeed delves into the technical nuances of these vulnerabilities, providing an in-depth understanding of their impact, exploitation mechanisms, and mitigation strategies.
Initially rated with a CVSS score of 7.4, CVE-2024-5806 has been re-evaluated to 9.1, elevating its severity from High to Critical. This vulnerability affects MOVEit Transfer versions from 2023.0.0 before 2023.0.11, 2023.1.0 before 2023.1.6, and 2024.0.0 before 2024.0.2. The flaw arises from improper error handling in the IPWorks SSH library, allowing attackers to manipulate SSH key data for authentication bypass.
CVE-2024-5805, with a CVSS score of 9.1, is a critical vulnerability affecting MOVEit Gateway version 2024.0.0. This vulnerability permits attackers to exploit forced authentication scenarios, enabling them to capture Net-NTLMv2 hashes by connecting to malicious SMB servers.
CVE-2024-5806 (CVSS 9.1 - Critical)
CVE-2024-5805 (CVSS 9.1 - Critical)
MOVEit Transfer is a managed file transfer (MFT) solution widely used for secure file transfers within and between organizations. The product has a history of critical vulnerabilities, with the Clop ransomware exploiting these vulnerabilities in 2023 to steal data from numerous organizations. MOVEit Gateway is designed to enable safer deployments by acting as a proxy service.

*Instances of MoveIt Transfer*
The recently identified vulnerabilities have significant implications:
The authentication bypass vulnerability in MOVEit Transfer stems from issues within the IPWorks SSH library. When error handling fails, attackers can manipulate SSH key data to impersonate legitimate users. This flaw enables unauthorized access to sensitive data and systems.
Attackers craft malicious SSH key data to bypass authentication checks. The server fails to properly validate the key, granting unauthorized access.
By exploiting the manipulated SSH key, attackers can impersonate any user on the server, gaining access to restricted areas and sensitive information.
# Example Code Snippet
def validate_ssh_key(key):
try:
# Error-prone validation process
if not validate(key):
raise InvalidKeyException("Invalid SSH Key")
except InvalidKeyException as e:
log.error("Key validation failed: {}".format(e))
return False
return TrueIn the above code snippet, the `validate_ssh_key` function demonstrates improper handling of SSH key validation, which can be exploited for authentication bypass.
The critical vulnerability in MOVEit Gateway involves forced authentication scenarios where the server connects to a malicious SMB server. This interaction exposes a Net-NTLMv2 hash, which can be used for further exploitation.
Attackers trick the server into authenticating against a malicious SMB server, capturing the Net-NTLMv2 hash.
The captured hash can be leveraged to impersonate the server or conduct pass-the-hash attacks, compromising the entire system.
# Example Code Snippet
def connect_to_smb(server, credentials):
try:
# Attempt connection to SMB server
smb_connection = SMBConnection(server, credentials)
smb_connection.authenticate()
except SMBException as e:
log.error("SMB connection failed: {}".format(e))
return False
return TrueIn this code snippet, the `connect_to_smb` function illustrates how forced authentication to a malicious server can expose sensitive credentials.
Researchers from watchTowr Labs provided an in-depth technical analysis of the authentication bypass vulnerabilities:
An attacker can exploit this vulnerability by:
To mitigate these vulnerabilities, Progress Software recommends several immediate actions:
Apply the latest patches for MOVEit Transfer and MOVEit Gateway to mitigate known vulnerabilities.
Block inbound RDP access to MOVEit Transfer to prevent unauthorized remote access.
Restrict outbound connections to trusted servers only, reducing the risk of forced authentication attacks.
Additionally, users should apply patches as soon as they are available and monitor network traffic for any unusual activity indicating attempted exploitation.
As of June 25, 2024, approximately 2,700 instances of MOVEit Transfer are online, predominantly in the United States. The majority of these instances are hosted on Microsoft or Amazon autonomous systems, underscoring the widespread usage and potential risk of exploitation.
The vulnerabilities in MOVEit Transfer and MOVEit Gateway present significant risks to data security. CVE-2024-5806 and CVE-2024-5805 exemplify how flaws in authentication mechanisms can be exploited to gain unauthorized access and compromise sensitive systems. By understanding the technical details and implementing recommended mitigations, organizations can protect themselves against these critical threats.
The identification of these new vulnerabilities in MOVEit Transfer and Gateway underscores the importance of robust cybersecurity measures. Organizations using these products should prioritize applying the recommended mitigations and closely monitor their systems for signs of compromise.
For further details and continuous updates, refer to Progress Software's advisory and security bulletins. Through meticulous evaluation and proactive measures, the integrity and security of critical systems can be maintained.

Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.