Patch now! Progress-MOVEit vulnerabilities are already under attack
Progress has patched two critical vulnerabilities in MOVEit Gateway and Transfer. Cybercriminals are already attacking one of them.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Progress has released two security alerts that address critical vulnerabilities in MOVEit Gateway and MOVEit Transfer. One of these is already under attack in the wild. IT managers with Progress MOVEit instances should check as soon as possible whether the current version is already running or, if necessary, implement the updates and recommended countermeasures immediately.
The first vulnerability affects MOVEit Gateway 2024.0.0 and allows attackers to bypass authentication. This is caused by an unspecified error in the SFTP module supplied (CVE-2024-5805, CVSS 9.1, risk"critical"). The only remedy is to over-install version 2024.0.1 with the "Full Installer", which interrupts the service during the update, explains Progress.
Critical vulnerability already under attack
In MOVEit Transfer, there is an identical vulnerability in the SFTP module that allows malicious actors to bypass authentication. However, the second security report from Progress does not provide any indications of what attacks could look like (CVE-2024-5806, CVSS 9.1, critical).
However, IT researchers at watchtowr Labs took a closer look at the vulnerability and ultimately developed a proof-of-concept exploit based on their findings. They describe this in detail in an article on the watchtowr website. There they also provide potential indications of attacks that admins can use as a starting point when investigating their instances.
Shadowserver has observed the first attacks with POST requests on the MOVEit file /guestaccess.aspx since Tuesday evening, the IT research collective announced on X (formerly Twitter). Anyone who is running MOVEit and has not yet installed the updates should please do so now, they conclude their message.
According to the Shadowserver analyses, around 1800 Progress MOVEit systems are openly accessible online. The majority, almost 1300 systems, are located in the USA. But there are also more than 350 systems in Europe, which is in second place. However, the shadow server count does not provide any qualitative information about whether the systems have already been patched or are vulnerable.
Progress MOVEit software is popular with cyber criminals. They can usually access sensitive data through security gaps in it and then blackmail their victims for ransom. This was demonstrated almost exactly a year ago by the Cl0p cyber gang with dozens of well-known companies. Based on this experience, IT managers should not waste any time but should update their systems immediately.
(dmk)