Fresh MOVEit Bug Under Attack Mere Hours After Disclosure

The high-severity CVE-2024-5806 allows cyberattackers to authenticate to the file-transfer platform as any valid user, with accompanying privileges.

A high-severity security vulnerability in Progress Softwares MOVEit Transfer software could allow cyberattackers to get around the platforms authentication mechanisms — and its being actively exploited in the wild just hours after it was made public.
MOVEit Transfer is an application for file sharing and collaboration in large-scale enterprises; it was infamously targeted last year in
a rash of Cl0p ransomware attacks
that affected at least 160 victims, including British Airways,
the state of Maine
, Siemens, UCLA, and more. The level of mass exploitation was such that it materially affected the results of this years
Data Breach Investigations Report
(DBIR) from Verizon.
The new bug (
CVE-2024-5806
, CVSS: 7.4) is an improper authentication vulnerability in MOVEits SFTP module that can lead to authentication bypass in limited scenarios, according to Progress
security advisory
on the issue today, which also includes patching information. It affects versions from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, and from 2024.0.0 before 2024.0.2 of MOVEit Transfer.
Admins should patch the issue immediately — not only is MOVEit on cybercriminals radar screens after the events of last year, but the ability to access internal files at Fortune 1000 companies is a juicy plum for any espionage-minded advanced persistent threat (APT). And, according to a
short note
from the nonprofit Shadowserver Foundation, very shortly after vulnerability details were published today we started observing Progress MOVEit Transfer CVE-2024-5806 POST /guestaccess.aspx exploit attempts. It also
reported
that there are at least 1,800 exposed instances online (though not all of them are vulnerable).
Progress didnt provide any details on the bug, but researchers at watchTowr, who called the vulnerability truly bizarre, have been able to determine two attack scenarios. In one case, an attacker could perform forced authentication using a malicious SMB server and a valid username (enabled by a dictionary-attack approach).
In another, more dangerous attack, a threat actor could impersonate any user on the system. [We can] upload our SSH public key to the server without even logging in, and then use that key material to allow us to authenticate as anyone we want, according to
watchTowrs post.
From here, we can do anything the user can do — including reading, modifying, and deleting previously protected and likely sensitive data.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Fresh MOVEit Bug Under Attack Mere Hours After Disclosure