CVE-2024-5805: MOVEit Automation Authentication Bypass Mitigation Guide

Progress Software has disclosed a critical authentication bypass vulnerability in MOVEit Automation, an enterprise-grade managed file transfer (MFT) solution. This flaw, tracked as CVE-2024-5805, carries a CVSS score of 9.1, indicating a severe risk for organizations relying on this software for automated data workflows. According to BleepingComputer, the issue resides within the SFTP service of the MOVEit Automation engine.

The vulnerability allows an unauthenticated attacker to bypass standard authentication protocols. In an enterprise environment, MOVEit Automation is frequently used to handle the transfer of sensitive data between internal systems and external partners. Successful exploitation grants the attacker unauthorized access to these managed resources, potentially leading to mass data exfiltration or further compromise of the internal network through Lateral Movement.

Technical Analysis of CVE-2024-5805

The flaw is described as an improper authentication vulnerability in the SSH engine of the MOVEit Automation SFTP service. MFT systems are uniquely positioned in the Supply Chain Attack landscape; they often store credentials for numerous external endpoints and maintain access to sensitive internal file shares. By bypassing the authentication mechanism of the SFTP service, an attacker can effectively impersonate authorized users or the system itself to manipulate file transfers.

While there was no immediate evidence of active exploitation at the time of the initial advisory, MFT solutions have become a primary target for various threat actors seeking to perform large-scale data theft. The critical nature of this CVE stems from the fact that no prior credentials or specific user knowledge are required to initiate the bypass, significantly lowering the barrier for entry for potential exploiters.

How to Detect CVE-2024-5805 Exploit Activity

Security teams should prioritize monitoring their SOC dashboards for unusual SFTP connection attempts. Specifically, defenders should look for anomalous source IP addresses connecting to the SFTP interface of MOVEit Automation. Monitoring should also include log entries indicating successful logins that do not correlate with known service accounts or user schedules.

Integrating these IoC signals into a SIEM can provide the visibility needed to identify potential probes. Organizations should also leverage EDR solutions to monitor for suspicious child processes spawning from the MOVEit Automation service, which could indicate an attempt at RCE following the initial bypass.

MOVEit Automation 2024.0.0 Patch Guidance

The vulnerability affects several major versions of the product. Administrators must verify their current version and apply the appropriate update immediately. The affected versions include MOVEit Automation 2023.0.x, 2023.1.x, and 2024.0.x. Progress Software has released the following fixed versions to address this flaw:

• MOVEit Automation 2023.0.11
• MOVEit Automation 2023.1.6
• MOVEit Automation 2024.0.2

Progress MOVEit SFTP Vulnerability Mitigation

Beyond patching, a Zero Trust approach to MFT security can limit the blast radius of such vulnerabilities. This includes segmenting the MFT environment from the rest of the corporate network and enforcing strict identity and access management policies. Given the history of high-profile vulnerabilities in the MOVEit product suite, continuous monitoring and rapid response are essential components of a resilient security posture. Defenders should remain vigilant and ensure all MFT instances are audited for unauthorized configuration changes or new, unrecognized user accounts created during the vulnerability window. Applying the patch remains the only definitive way to resolve the underlying authentication flaw.