MOVEit Transfer Vulnerability - CVE-2024-5806

Incident Report for Rapid Response Status Page

Resolved

This incident has been resolved.
Posted Jun 30, 2024 - 15:48 UTC

Identified

Over the last few days, Team Axon has been researching the recently published MOVEit Transfer vulnerability, CVE-2024-5806, a critical authentication bypass flaw that allows attackers to bypass the authentication process in the SFTP module of the software, enabling them to access, modify, delete, or tamper with files on the MOVEit Transfer server.

The vulnerability affects the MOVEit Transfer application on versions before 2023.0.11, 2023.1.6, and 2024.0.2. For more technical information, see the Alert Bulletin from the vendor: https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-June-2024-CVE-2024-5806. It is highly recommended to follow the suggested mitigations in the article to prevent successful exploitation.

In addition, Axon research points out:
- Exploitation of CVE-2024-5806 requires knowledge of a valid username on the system, which, while a low hurdle, can limit automated attacks.
- The specified username must pass IP-based restrictions; thus, locking down users to whitelisted IP addresses can reduce risk.

To assist you, Team Axon developed a visibility query to identify servers running MOVEit services. This query differentiates between publicly exposed servers to highlight assets that are more critical and potentially vulnerable to public exploitation. The query can be found on Axon-git https://github.com/axon-git/rapid-response/blob/main/CVE-2024-5806/moveit_visibility_query.sql

Please feel free to reach out to the team for any queries.
Yours,

Team Axon.
Posted Jun 30, 2024 - 15:47 UTC
This incident affected: Rapid Response.