Exposure of additional MOVEit vulnerabilities emerges, a year after last year's debacle in 2023
In a significant development, Progress Software disclosed two authentication bypass vulnerabilities in its MOVEit file-transfer service on June 27, 2024. These vulnerabilities, identified as CVE-2024-5805 and CVE-2024-5806, carry a critical severity rating of CVSS 9.1.
The disclosure of these vulnerabilities comes just over a year after MOVEit customers were caught in a spree of attacks linked to a zero-day vulnerability in the file-transfer service. The earlier vulnerability, CVE-2023-34362, was a critical SQL injection flaw that allowed unauthenticated attackers to breach MOVEit Transfer databases and deploy persistent web shells. This vulnerability led to massive data breaches affecting millions of individuals and thousands of organizations, including high-profile entities such as government agencies and Fortune 500 companies.
The newly disclosed CVE-2024-5806, specifically, has been exploited within hours of its disclosure, indicating a very short window for organizations to patch or mitigate it. This urgency is further increased by the fact that more than 4 in 5 victim organizations had no relationship with Progress, yet were impacted due to third-party vendors who did.
Researchers and threat hunters are moderately concerned about the potential for a new wave of attacks against MOVEit customers, particularly since the steps required to exploit CVE-2024-5806 in MOVEit Transfer are complicated but not impossible to achieve. A proof-of-concept exploit for CVE-2024-5806 is publicly available, although researchers at Censys and Rapid7 haven't observed exploitation in customer environments yet.
Progress Software provided patches for the vulnerabilities on June 11, 2024, and encourages MOVEit customers to upgrade to patched versions of the products on an emergency basis. However, during the earnings call, Progress did not address the latest CVEs.
Despite these security concerns, Progress Software President and CEO Yogesh Gupta stated that the business has remained solid, with MOVEit annual recurring revenue growing over the past year, and customers continuing to be pleased with the way Progress has been working with them.
In a related development, watchTowr Labs provided an exhaustive blog post detailing the steps to achieve exploitation of CVE-2024-5806. Meanwhile, Censys observed 2,700 publicly exposed instances of MOVEit on Tuesday, and Shadowserver observed exploit attempts on the same day, soon after Progress disclosed the vulnerability.
This newly disclosed CVE-2024-5806 aggravates the risk landscape initially established by the earlier and widely exploited CVE-2023-34362, highlighting the continued challenges Progress Software faces in securing this widely used file-transfer service against third-party risk exploitation.
- The newly disclosed vulnerability, CVE-2024-5806, adds to the existing risk landscape of the MOVEit file-transfer service, as seen with the previous critical SQL injection flaw, CVE-2023-34362, which led to massive data breaches.
- The vulnerability CVE-2024-5806 carries a critical severity rating, like the one exploited in the past, and its complex exploitation method increases the potential for attacks against MOVEit customers.
- As cybersecurity threats continue to evolve in data-and-cloud-computing environments, it is essential for organizations to prioritize cybersecurity measures, especially when dealing with technology critical to daily operations like the MOVEit file-transfer service.
