Fri, Jun 28, 2024
Note: Exploitation of this vulnerability remains highly likely, and Kroll experts are investigating. If further details are uncovered by our team, updates will be made to the Kroll Cyber Risk blog.
An improper authentication vulnerability, being tracked as CVE-2024-5806, has been discovered in Progress MOVEit Transfer (SFTP module). This vulnerability has a CVSS score of 9.1 (Critical) with a high potential for exploitation. If exploited, this vulnerability could allow an attacker to bypass authentication by exploiting improper handling of SSH key data. By manipulating the SSH public key authentication process, an attacker could gain unauthorized access to the system. Exploiting this vulnerability could enable a threat actor to impersonate any user on the server, leading to unauthorized data access and potential further exploitation. This includes access to sensitive files and possible lateral movement within the network.
This issue affects MOVEit Transfer versions from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, from 2024.0.0 before 2024.0.2.
A patch was distributed to Progress customers via email on June 11, 2024, the vulnerability was initially reported with a CVSS score of 7.4 but was updated on June 25 with a CVSS score of 9.1.00
A proof of concept (POC) script and technical writeup have been made public by Watchtowr. The writeup details include the technical aspects of the vulnerability and provide the Python exploit code in a GitHub repo.
POC: https://github.com/watchtowrlabs/watchTowr-vs-progress-moveit_CVE-2024-5806
The Kroll Cyber Threat Intelligence (CTI) team assesses that this vulnerability is likely to already be exploited.
According to the Progress advisory: "A newly identified vulnerability in a third-party component used in MOVEit Transfer elevates the risk of the original issue mentioned above if left unpatched. While the patch distributed by Progress on June 11th successfully remediates the issue identified in CVE-2024-5806, this newly disclosed third-party vulnerability introduces new risk. Please work with your internal teams to take the following steps to mitigate the third-party vulnerability.
Steps customers should take to mitigate the third-party vulnerability:
When the third-party vendor releases a fix, we will make that available to MOVEit Transfer customers."
It is currently unknown which third-party software is affected by this vulnerability.
While the previous MOVEit vulnerability, that was widely exploited in 2023 (tracked as CVE-2023-34362), is not connected to CVE-2024-5806 , it is crucial to note that MOVEit, along with other file transfer applications, are a high priority target for threat actors. These servers often house highly sensitive information and data, so threat actors will move quickly to exploit vulnerabilities.
Activity connected to MOVEit that we tracked in 2023:
If your organization is unpatched, you are more susceptible to an attack and should patch immediately. If you’d like to understand your exposure or assess your potential risk, reach out to a Kroll expert today via our 24x7 hotlines or contact form.
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Threat intelligence are fueled by frontline incident response intel and elite analysts to effectively hunt and respond to threats.
Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
World-renowned cyber investigators and leading technology fuel Kroll’s managed security services, augmenting security operations centres and incident response capabilities.
Proactively safeguard your organization’s digital assets and accelerate visibility of online threats.