CVE-2024-5806 Detection: A New Authentication Bypass Vulnerability in Progress MOVEit Transfer Under Active Exploitation

The cyber threat landscape in June is heating up, largely due to the disclosure of new vulnerabilities, such as CVE-2024-4577  and CVE-2024-29849. Researchers have identified a novel critical improper authentication vulnerability in Progress MOVEit Transfer tracked as CVE-2024-5806, which has already been under active exploitation in the wild a couple of hours after its discovery. 

Detect CVE-2024-5806 Exploitation Attempts

With MOVEit remaining a juicy target for cybercriminals following last year’s incidents, the potential for accessing internal files of large-scale enterprises is highly attractive to adversaries. The novel vulnerability in Progress MOVEit Transfer tracked as CVE-2024-5806 could lead to authentication bypass, which is posing an increasing challenge to defenders due to its exploitation in in-the-wild attacks shortly after the news of the flaw disclosure. Adversaries may try to weaponize CVE-2024-5806 in order to gain initial access. SOC Prime Platform for collective cyber defense has released a new Sigma rule to detect potential CVE-2024-5806 exploitation attempts. Log in to SOC Prime Platform to instantly reach the dedicated detection algorithm available via a link below:

Possible CVE-2024-5806 (MOVEIt Transfer Authentication Bypass) Exploitation Attempt (via webserver)

This Sigma rule is aligned with the MITRE ATT&CK ®framework, addressing the Initial Access tactic and the Exploit Public-Facing Application (T1190) technique. Depending on your tech stack, the detection is ready to deploy to dozens of SIEM, EDR, and Data Lake technologies.

To keep abreast of the ever-evolving threat landscape and timely identify intrusions exploiting critical vulnerabilities and zero-days, click the Explore Detections button to take advantage of the comprehensive collection of relevant SOC content. 

Explore Detections

CVE-2024-5806 Analysis  

Last year’s nerve-racking zero-day CVE-2023-34362 in Progress MOVEit Transfer caused a stir in the cybersecurity arena, posing severe risks of sensitive data leakage even to high-profile organizations. 

The watchTowr team recently discovered a new vulnerability, CVE-2024-5806, identified in Progress MOVEit Transfer software. The flaw, found in the product’s SFTP module, enables attackers to bypass authentication and gain unauthorized access to sensitive information. The vulnerability impacts MOVEit Transfer instances from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, and from 2024.0.0 before 2024.0.2. 

The CVE-2024-5806 exploit code was publicly released just hours after the vendor issued a security bulletin acknowledging the flaw, resulting in a surge of attack attempts on vulnerable MOVEit installations. According to the stats from Shadowserver Foundation, at least 1,800 instances were observed to be exposed to the threat. 

The watchTowr researchers identified two potential attack scenarios. In the first one, an attacker could execute a “forced authentication” using a malicious SMB server and a valid username, facilitated by a dictionary-attack method. The other reveals a more perilous attack flow, giving adversaries the green light to masquerade as any user on the system.

As CVE-2024-5806 mitigation measures, the vendor strongly recommends that all MOVEit Transfer customers using versions 2023.0, 2023.1, and 2024.0 promptly upgrade to the latest patched version.

While proactive detection of vulnerability exploitation remains one of the top content priorities for enterprises that rely on popular software solutions, defenders are looking for innovative ways to enhance cyber resilience. SOC Prime’s complete product suite based on global threat intelligence, crowdsourcing, zero-trust, and extended by generative AI enables organizations to preempt emerging cyber attacks and strengthen cyber defense capabilities at scale.