Exposure of additional MOVEit CVEs emerges a year after last year's MOVEit debacle
New Vulnerabilities Discovered in Progress Software's MOVEit Transfer Service
Progress Software has recently disclosed two critical vulnerabilities in its MOVEit file-transfer service, identified as CVE-2024-5805 and CVE-2024-5806. These vulnerabilities have a CVSS score of 9.1 each, indicating a high severity risk.
The additional vulnerability, CVE-2024-5806, affects the MOVEit Gateway as well. These vulnerabilities were found soon after the one-year anniversary of the attacks on customers' MOVEit environments, which were linked to a zero-day vulnerability.
Progress Software President and CEO Yogesh Gupta stated that the business has remained solid, and MOVEit annual recurring revenue has grown since the attacks. However, researchers and threat hunters are moderately concerned about the potential for a new wave of attacks against MOVEit customers.
The ransomware group Clop compromised more than 2,700 organizations and exposed over 93 million personal records held in MOVEit environments by the end of 2023. The impact remains significant, as similar MOVEit vulnerabilities have been exploited rapidly after disclosure, enabling ransomware campaigns and data breaches.
Despite the critical nature, organizations are still at risk due to delays in patching; around 32% of critical vulnerabilities go unpatched for over 180 days, increasing exposure. Security researchers and Progress Software advise all users to patch affected systems immediately, monitor logs intensively for suspicious activities, and harden MOVEit deployments against exploitation attempts.
The steps to exploit CVE-2024-5806 in MOVEit Transfer are complicated but not impossible. Performing an attack on MOVEit Transfer would be trivial for attackers with access to a vulnerable instance and a valid username. watchTowr Labs explained the steps required for exploitation in an exhaustive blog post.
Progress Software provided patches for the vulnerabilities on June 11, 2024. However, it's essential to note that more than 4 in 5 victim organizations had no relationship with Progress, yet were impacted due to third-party vendors who did. This underscores the importance of ensuring that all third-party software used in an organization is up-to-date and secure.
In the earnings call, Progress did not address the latest vulnerabilities. Brett Callow, threat analyst at Emsisoft, stated that while this is a serious vulnerability, the limited circumstances in which it can be exploited make it somewhat less serious than the vulnerability exploited by Clop last year.
Censys observed 2,700 publicly exposed instances of MOVEit on Tuesday, June 27, 2024. Shadowserver observed exploit attempts for the vulnerability soon after it was disclosed. A proof-of-concept exploit for CVE-2024-5806 is publicly available, but no reports of active exploitation have been received.
The ongoing rise in attack attempts and the previous exploitation history underscore the critical need for swift mitigation measures. Organizations are urged to take immediate action to secure their MOVEit deployments and protect against potential attacks.
- The discovery of vulnerabilities in Progress Software's MOVEit Transfer Service, such as CVE-2024-5806, poses a cybersecurity risk for data-and-cloud-computing systems, as demonstrated by the Clop ransomware group's previous exploitation of similar MOVEit vulnerabilities.
- Despite the complexity of exploiting CVE-2024-5806, the potential for someone with access to a vulnerable instance and a valid username to perform an attack on MOVEit Transfer remains a concern, emphasizing the importance of cybersecurity measures to safeguard against such threats.
- The ongoing threat of ransomware attacks against MOVEit customers highlights the need for organizations to promptly implement mitigation measures, including patching affected systems, intensively monitoring logs for suspicious activities, and securing MOVEit deployments against exploitation attempts.
