A critical security vulnerability has been identified in MOVEit Transfer that poses significant risks to organizations relying on the software for secure data transfers.
The vulnerability tracked as CVE-2024-5806 is rooted in improper validation of user-supplied input during the authentication process. It can be exploited by sending specially crafted requests to the MOVEit Transfer server, bypassing authentication checks, and gaining administrative access.
The affected versions include MOVEit Transfer 2023.0.0 to 2023.0.10, 2023.1.0 to 2023.1.5, and 2024.0.0 to 2024.0.1.
Progress strongly urges all MOVEit Transfer customers using the affected versions to immediately upgrade to the latest patched version. The patched versions are as follows:
- MOVEit Transfer 2023.0.11
- MOVEit Transfer 2023.1.6
- MOVEit Transfer 2024.0.2
The Improper Authentication vulnerability in MOVEit Transfer’s SFTP module can allow attackers to bypass authentication mechanisms and gain unauthorized access to the system that lead to data breaches, theft of sensitive information, and other malicious activities.
To mitigate the risk, customers are advised to upgrade to the patched versions of MOVEit Transfer using the full installer. The upgrade process will cause a system outage while running
This vulnerability does not affect MOVEit Cloud customers, as the patch has already been deployed to the cloud infrastructure. Additionally, MOVEit Cloud is safeguarded against third-party vulnerability through strict access controls on the underlying infrastructure.
To mitigate the third-party vulnerability, Progress recommends the following steps:
- Verify that public inbound RDP access to MOVEit Transfer servers is blocked.
- Limit outbound access from MOVEit Transfer servers to only known trusted endpoints.
Progress will make the third-party vendor’s fix available to MOVEit Transfer customers once released.
