Vulnerability Management, Patch/Configuration Management

Five things security teams need to know about the latest MOVEit Transfer bug

Just two days ago, Progress Software Corporation formally disclosed that it had discovered a new MOVEit Transfer authentication bypass vulnerability that could let attackers exploit the flaw to access accounts without knowing credentials.

Tracked as CVE-2024-5806, the flaw was given a critical CVSS score of 9.1 by MOVEit provider Progress Software, which said it began distributing a patch on June 11 prior to the June 25 disclosure.

Faced with unending threats and conflicting priorities, security teams are now being told to drop everything and patch right away, mainly because of the damage the last major MOVEit flaw did last year when the Clop ransomware group stole data from hundreds of MOVEit users and their customers.

Mike Walters, co-founder and president at Action1, pointed out that Shadowserver reports that about 1,700 instances of MOVEit Transfer are available online, most of them in North America. And, according to Censys, there are 2,700 instances, most of them also in the U.S., followed by the U.K. and Germany.

Here are five things security teams need to know about the new MOVEit Transfer vulnerability CVE-2024-5806:

  • Make patching the new MOVEit bug a top priority.

Proactive patching measures are absolutely critical to mitigate risks effectively, especially since the MOVEit Transfer vulnerability CVE-2024-5806 was actively being exploited by threat actors, said Patrick Tiquet, vice president, security and architecture at Keeper Security.

“Apply patches promptly from Progress Software Corporation and verify their successful deployment across all systems,” said Tiquet. “Enhance monitoring capabilities to promptly detect any suspicious activity, complemented by regular audits to ensure continuous security.”

Casey Ellis, founder and chief strategy officer at Bugcrowd, added that teams should update versions 2023.0.11, 2023.1.6, or 2024.0.2, depending on the version they are using. Ellis said unpatched systems are highly vulnerable to attacks and the nature of MOVEit and the data it tends to have access to makes it an attractive target for attackers.

  • Keep close tabs on all access logs.

Bugcrowd’s Ellis said security teams should conduct a thorough review of access logs and system activities for any signs of exploitation attempts or unauthorized access. Look for unusual login patterns, access attempts, and data transfer activities that could indicate an exploitation of the vulnerability. That’s because Ellis said exploitation is underway. MOVEit has been widely and successfully exploited by Clop in the past, which means that and other ransomware, RaaS, and IAB groups are likely to target this new vulnerability. By responding to suspicious activity, Ellis said security teams can create the opportunity to mitigate potential damage from an attack.

  • Take advantage of all the latest security research.

Make sure the team subscribes to relevant security bulletins, follows cybersecurity forums, and engages with industry-specific threat intelligence communities, said Ellis. This new vulnerability will likely spark another research cluster around MOVEit software which may shed light on additional exploitable vulnerabilities. Ellis pointed out that knowing which threat actors are exploiting the vulnerabilities – and to what end – is important in the early stages. Staying informed about the latest developments and threat actor tactics can help teams anticipate and prepare for potential attacks

  • Follow Progress Software’s guidance on how to fix an unpatched third-party component.

James Slaughter, senior threat intelligence engineer at Fortinet, explained that unfortunately, CVE-2024-5806 appears to have revealed a vulnerability in a third-party component which MOVEit uses. Because a fix does not exist at this time, Slaughter said it’s important for security teams to follow Progress Software’s guidance to mitigate any potential risk this presents:

Verify the team has blocked public inbound RDP access to MOVEit Transfer servers; and limit outbound access to only known trusted endpoints from MOVEit Transfer servers.

  • Review the organization’s vulnerability management program.

Paul Laudanski, director of security research at Onapsis, said because so many organizations use MOVEit Transfer, the impact of this new critical flaw could be devastating. Of course, for cloud customers, the patch has already been applied, noted Laudanski.

“As we have seen in our own threat research recently, most organizations do not have a healthy vulnerability management program,” said Laudanski. “My fear here is that many organizations might fall in that same boat. It’s urgent for organizations to understand that a healthy vulnerability management program will ensure the quick mitigation of flaws such as this one.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds