Progress Software has discovered a new critical vulnerability in MOVEit, CVE-2024-5806. The vulnerability enables attackers to bypass authentication and gain access to sensitive data. Found in the program’s SFTP module, it carries a CVSS severity rating of 9.1 out of 10. Researchers report that attackers attempt to exploit it within hours of public disclosure.
The vulnerability can be exploited in two scenarios. The more powerful of the two lets an attacker see a null string as a public encryption key during the authentication process, allowing them to log in as an existing user with elevated privileges. This does require uploading a public key to vulnerable servers, but that isn’t a particularly difficult thing to do.
Progress Software has already issued a patch for the fix, but this doesn’t negate the fact that the vulnerability is still being exploited, as researchers from the Shadowsever Foundation reported. WatchTowr researchers reported that their exploits used IPWorks SSH, a commercial product Progress Software uses in MOVEit.
An advisory issued by Progress Software states that while the original vulnerability, CVE-2024-5806, has been issued in the patch, “this newly disclosed third-party vulnerability introduces new risk.” The advisory also details further steps to mitigate third-party vulnerability, stating that users need to verify that they
- Block public inbound RDP access to MOVEit Transfer servers.
- Limit outbound access to only known trusted endpoints from MOVEit Transfer servers.
In 2023, a critical MOVEit vulnerability compromised more than 2,300 organisations, including Shell, British Airways, the US Department of Energy, and Ontario’s government birth registry, BORN Ontario. The last one led to a data breach affecting 3.4 million people. Given how similar the two vulnerabilities are, it’s expected that this vulnerability will also likely be heavily exploited.
In the News: Polyfill claims defamation, returns on new domain after shutdown
