Attackers have been detected targeting critical bugs in Progress Software’s MOVEit file transfer application, which the company recently disclosed. The intensity of the attacks on these vulnerabilities is reminiscent of the zero-day flaw that was exposed almost a year ago.
Despite the availability of patches for the new vulnerabilities, organizations affected by these bugs are facing a crucial question: can they deploy the patches fast enough to outpace malicious actors attempting to compromise their systems? This concern is amplified by the presence of a proof-of-concept exploit circulating in the wild.
One of the key issues with the new vulnerabilities is that applying patches alone may not be sufficient. Even organizations that have already implemented updates are finding themselves in a precarious situation due to additional issues discovered post-patch release by Progress Software.
The vulnerabilities in question affect the SFTP module of MOVEit Transfer, presenting improper authentication issues that could enable an attacker to impersonate any user on a compromised system and gain control. The first flaw, identified as CVE-2024-5806, impacts various versions of MOVEit Transfer, while the second flaw, CVE-2024-5805, affects MOVEit Gateway.
When CVE-2024-5806 was initially disclosed, it was assigned a medium-severity score, which was later upgraded after the discovery of a vulnerability in a third-party component used in MOVEit Transfer. Progress Software has advised affected organizations to install the patches and also enforce restrictions on public inbound RDP access to MOVEit Transfer servers.
An internet scan conducted on June 25 revealed thousands of MOVEit Transfer instances online, with most of them located in the US. ShadowServer reported observing exploit attempts targeting CVE-2024-5806 shortly after its disclosure, underscoring the urgency of the situation.
Emily Austin, a principal security researcher at Censys, highlighted that exploiting the vulnerabilities does not appear to be overly challenging. She stressed the importance of identifying unpatched instances and having knowledge of valid usernames to access the service, which could be obtained through various means.
The emergence of these new flaws follows a previous incident where Progress Software disclosed a SQL injection zero-day vulnerability in MOVEit Transfer, which was heavily exploited by threat actors. The severity of the current vulnerabilities underscores the need for organizations to take swift action to mitigate the risks posed by potential exploitation.
While there is optimism that the availability of patches may limit the impact of the new vulnerabilities, experts caution that patching alone is insufficient. A comprehensive security approach that includes threat intelligence and proactive risk management is crucial to effectively mitigating the evolving cyber threats posed by vulnerabilities like CVE-2024-5806.
Overall, the urgency of the situation necessitates a coordinated response from affected organizations to address the vulnerabilities in a timely manner and minimize the potential for exploitation by malicious actors. Failure to take appropriate measures could have severe consequences, as demonstrated by past incidents involving similar security issues.