CVE-2024-5806: MOVEit Transfer Vulnerability Under Active Exploit, PoC Published

CVE-2024-5806 PoC exploit

A critical vulnerability (CVE-2024-5806) in the widely used MOVEit Transfer file transfer software has been disclosed and is already under active exploitation. Progress Software, the developer of MOVEit, released information about the vulnerability on June 25, but security researchers quickly discovered widespread exploit attempts shortly thereafter.

High-Severity Threat with Immediate Impact

The vulnerability, rated with a CVSS score of 9.1, enables attackers to bypass authentication mechanisms within the MOVEit Transfer SFTP service. This can lead to unauthorized access and potential exfiltration of sensitive data. The security nonprofit Shadowserver reported a surge in exploit attempts against their honeypots mere hours after the vulnerability details became public, underscoring the urgency of the situation.

Exploitation in the Wild

The publication of CVE-2024-5806 vulnerability details and proof-of-concept (PoC) exploit code on June 25, 2024, has led to immediate exploitation attempts. The Shadowserver Foundation, a respected security nonprofit, reported observing POST /guestaccess.aspx exploit attempts against their honeypots shortly after the details were released. This rapid exploitation underscores the critical nature of the vulnerability and the urgency for affected organizations to act.

Shadowserver’s analysis indicates that there are approximately 1,800 exposed MOVEit Transfer instances online, although not all of these instances are necessarily vulnerable. Nevertheless, the widespread exposure increases the risk of successful attacks.

Mitigation Steps and Vendor Response

Progress Software has released patched versions of MOVEit Transfer to address the vulnerability:

  • MOVEit Transfer 2023.0.x: Fixed in version 2023.0.11
  • MOVEit Transfer 2023.1.x: Fixed in version 2023.1.6
  • MOVEit Transfer 2024.0.x: Fixed in version 2024.0.2

Users of MOVEit Cloud are reportedly already protected by a previous patch.

Organizations are strongly advised to prioritize applying these updates immediately. The public availability of exploit code and the confirmed ongoing attacks leave little room for delay.