Over the last few days, Team Axon has been researching the recently published MOVEit Transfer vulnerability, CVE-2024-5806, a critical authentication bypass flaw that allows attackers to bypass the authentication process in the SFTP module of the software, enabling them to access, modify, delete, or tamper with files on the MOVEit Transfer server.
In addition, Axon research points out: - Exploitation of CVE-2024-5806 requires knowledge of a valid username on the system, which, while a low hurdle, can limit automated attacks. - The specified username must pass IP-based restrictions; thus, locking down users to whitelisted IP addresses can reduce risk.
To assist you, Team Axon developed a visibility query to identify servers running MOVEit services. This query differentiates between publicly exposed servers to highlight assets that are more critical and potentially vulnerable to public exploitation. The query can be found on Axon-git https://github.com/axon-git/rapid-response/blob/main/CVE-2024-5806/moveit_visibility_query.sql
Please feel free to reach out to the team for any queries. Yours,