Progress MOVEit and LoadMaster Patched Against Critical RCE and Bypass

Progress Software has released a series of critical security advisories addressing multiple vulnerabilities across its product portfolio, including MOVEit Transfer, MOVEit Gateway, and the LoadMaster application delivery controller. These vulnerabilities, if exploited, could allow unauthenticated attackers to bypass security controls, execute arbitrary code, or gain full administrative access to sensitive file transfer and load balancing infrastructure.

According to SecurityWeek, the most significant of these disclosures involves an authentication bypass in the SFTP module of MOVEit Transfer and a maximum-severity RCE flaw in LoadMaster. Given the history of APT groups targeting MOVEit infrastructure for Ransomware operations, these patches should be considered high-priority for any SOC team.

Technical Analysis of MOVEit Authentication Bypass

The most prominent vulnerability in this set is CVE-2024-5806, which carries a CVSS score of 9.1. This CVE resides within the SFTP module of MOVEit Transfer. The flaw stems from the improper handling of cryptographic parameters during the authentication phase. An attacker who possesses knowledge of a valid username can exploit this weakness to bypass authentication and gain unauthorized access to the SFTP service.

While the requirement of a known username provides a slight barrier to entry, it does not significantly lower the risk. Attackers often obtain valid usernames through Phishing, credential stuffing, or previous data breaches. Once authenticated, an attacker can perform Lateral Movement within the file system or exfiltrate sensitive corporate data. A similar flaw, CVE-2024-5805, affects MOVEit Gateway, the proxy service used to facilitate secure transfers.

How to detect CVE-2024-5806 exploit in SFTP modules

Security researchers and defenders should monitor SFTP logs for unusual authentication patterns. Specifically, look for successful logins originating from unknown IP addresses that do not align with established user behavior. Because the exploit involves cryptographic parameter manipulation, anomalies in the key exchange or SSH handshake process may be visible in detailed network traffic analysis. Integrating these logs into a SIEM can help identify exploitation attempts in real-time.

LoadMaster Command Injection and WAF Bypasses

In addition to the MOVEit patches, Progress addressed CVE-2024-1212 in its LoadMaster product. This vulnerability is rated with a CVSS score of 10.0, the highest possible severity. It allows an unauthenticated remote attacker to access the management interface and execute arbitrary OS commands. This level of access grants the attacker total control over the load balancer, which often sits at a critical junction of the network architecture.

Furthermore, Progress released updates for its Web Application Firewall (WAF) to address detection bypass issues. These flaws could allow attackers to craft malicious payloads that evade standard WAF rules, potentially leading to XSS or SQL injection attacks against protected applications.

Remediation and MOVEit Transfer SFTP vulnerability patch guidance

To mitigate these threats, organizations must move beyond a perimeter-based security model and adopt Zero Trust principles. The primary remediation step is the immediate installation of the latest service packs and hotfixes provided by Progress Software. For MOVEit Transfer, this includes versions 2023.0.11, 2023.1.6, and 2024.0.2. LoadMaster users should upgrade to version 7.2.60.0 or later.

Defenders should also apply the following MITRE ATT&CK aligned mitigations:

• Filter Network Traffic: Restrict access to the MOVEit SFTP and LoadMaster management interfaces to known, authorized IP ranges via firewall rules.
• Enhanced Monitoring: Deploy EDR solutions on the underlying servers to detect post-exploitation activity such as shell spawns or unauthorized file modifications.
• Vulnerability Scanning: Regularly scan all internet-facing assets for unpatched Zero-Day or known vulnerabilities to reduce the attack surface.

Failure to patch these systems promptly leaves organizations vulnerable to a Supply Chain Attack scenario, where the compromise of a trusted file transfer utility leads to widespread data loss and operational disruption. Review all IoC data provided by security vendors to ensure no compromise has already occurred.