Executive Summary
CVE-2024-5806 is a critical improper authentication vulnerability identified in the Progress MOVEit Transfer software, specifically affecting its SFTP module. This vulnerability allows attackers to bypass authentication mechanisms, potentially leading to unauthorized access to sensitive data. The vulnerability has a CVSS v3.1 Base Score of 9.1, indicating its critical nature. Immediate action is required to mitigate the risks associated with this vulnerability.
Technical Information
CVE-2024-5806 arises due to improper authentication handling in the SFTP module of MOVEit Transfer. This flaw can be exploited by remote attackers to bypass authentication and gain unauthorized access to the system. The vulnerability affects the following versions of MOVEit Transfer: from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, and from 2024.0.0 before 2024.0.2. The vulnerability's vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating that it can be exploited remotely without any user interaction, and it has a high impact on confidentiality and integrity.
The vulnerability allows attackers to establish an authenticated SFTP session for a MOVEit Transfer user, enabling them to list the contents of a directory and read arbitrary files. This can lead to data breaches and other malicious activities, as attackers can exfiltrate sensitive data from the compromised system.
Exploitation in the Wild
There have been reports of active exploitation of CVE-2024-5806 in the wild. Attackers have been observed leveraging this vulnerability to gain unauthorized access to MOVEit Transfer systems. They often use automated scripts to exploit the flaw and exfiltrate sensitive data. Specific usage of this vulnerability includes the development of a Metasploit module named
Additionally, WatchTowr Labs has published an exploit detailing the steps to exploit this vulnerability. The exploit can be found here: https://labs.watchtowr.com/auth-bypass-in-un-limited-scenarios-progress-moveit-transfer-cve-2024-5806/.
APT Groups using this vulnerability
While specific APT groups exploiting CVE-2024-5806 have not been publicly identified, the nature of the vulnerability makes it a likely target for groups specializing in data exfiltration and espionage. These groups often target sectors such as finance, healthcare, and government, where sensitive data is highly valuable.
Affected Product Versions
The following versions of MOVEit Transfer are affected by CVE-2024-5806: - MOVEit Transfer: from 2023.0.0 before 2023.0.11 - MOVEit Transfer: from 2023.1.0 before 2023.1.6 - MOVEit Transfer: from 2024.0.0 before 2024.0.2
Workaround and Mitigation
To mitigate the risk associated with CVE-2024-5806, it is recommended to update MOVEit Transfer to the latest version that addresses this vulnerability. Specifically, versions 2023.0.11, 2023.1.6, and 2024.0.2 or later contain the necessary patches. Additionally, implement network monitoring to detect unusual activity that may indicate exploitation attempts and regularly review access logs for signs of unauthorized access or other suspicious activities.
References
For more detailed information on CVE-2024-5806, please refer to the following resources: - NVD CVE-2024-5806: https://nvd.nist.gov/vuln/detail/CVE-2024-5806 - Progress MOVEit Transfer Product Security Alert: https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-June-2024-CVE-2024-5806 - Kroll Cyber Risk Insights: https://www.kroll.com/en/insights/publications/cyber/progress-moveit-transfer-cve-2024-5806 - Rapid7 Blog on Authentication Bypasses: https://www.rapid7.com/blog/post/2024/06/25/etr-authentication-bypasses-in-moveit-transfer-and-moveit-gateway/ - Beazley Security Alert: https://beazley.security/alerts-advisories/critical-vulnerability-in-moveit-transfer-cve-2024-5806 - WatchTowr Labs Exploit: https://labs.watchtowr.com/auth-bypass-in-un-limited-scenarios-progress-moveit-transfer-cve-2024-5806/
Rescana is here for you
At Rescana, we understand the critical nature of cybersecurity threats and the importance of timely and effective mitigation. Our Continuous Threat and Exposure Management (CTEM) platform helps organizations identify, assess, and mitigate vulnerabilities like CVE-2024-5806. We are committed to providing our customers with the tools and support they need to protect their systems and data. If you have any questions about this report or any other issue, please contact us at ops@rescana.com.
Comments