Progress Software elevates severity of new MOVEit bug to ‘critical’ as exploit attempts jump
A vulnerability in the MOVEit file transfer tool is again raising alarms, with Progress Software urging customers to patch the "critical" issue" as hackers reportedly increase attempts to exploit the bug.
Progress Software released an initial advisory on Tuesday about CVE-2024-5806 — a new vulnerability that has alarmed experts because of its resemblance to another issue last year which was exploited to carry out one of the largest data theft campaigns on record. The company released a patch on June 11 and has been working with customers to resolve the issue since then.
In an updated advisory on Tuesday evening, Progress Software said a “newly identified vulnerability in a third-party component used in MOVEit Transfer elevates the risk of the original issue mentioned above if left unpatched.”
The bug gives hackers access to data stored on a MOVEit Transfer server and allows them to exfiltrate, delete or change information.
“While the patch distributed by Progress on June 11th successfully remediates the issue identified in CVE-2024-5806, this newly disclosed third-party vulnerability introduces new risk,” Progress Software said.
The company did not name the responsible third party and declined to answer questions about the new issue.
Progress Software said that when the third-party vendor releases a fix, they will make it available to MOVEit Transfer customers. In the updated advisory, the company changed the severity score from 7.4 to 9.1 out of 10 — now making it a “critical” vulnerability.
In a statement to Recorded Future News before the updated advisory was published, a spokesperson said the vulnerability affects MOVEit Transfer and MOVEit Gateway — two of the company’s flagship products that are used to transfer files.
“Currently, we have not received any reports that these vulnerabilities have been exploited and we are not aware of any direct operational impact to customers,” the spokesperson said. “To be clear, these vulnerabilities are not related to the zero-day MOVEit Transfer vulnerability we reported in May 2023.”
On Tuesday, researchers at cybersecurity firm WatchTower released proof-of-concept code and detailed information on the bug, adding urgency to the patching effort as multiple organizations reported increased hacker interest in the vulnerability over the last 48 hours.
WatchTower said Progress Software has been contacting customers for weeks and months to patch this issue and “have made good-faith efforts to ensure this has been done.”
“We do not expect anyone to still be vulnerable due to the embargo,” WatchTower said in its technical examination of the issue, adding that Progress has made a concerted effort to ensure that customers deploy patches.
The U.K.-based Shadowserver Foundation said shortly after details of the vulnerability were published on Tuesday, they began seeing exploit attempts. The German government warned that it is also seeing attempted attacks.
Data from the foundation show 1,772 MOVEit instances exposed to the internet, though they cannot track which have already patched the vulnerability.
A similar organization, Censys, said it observed 2,700 MOVEit Transfer instances online, primarily in the U.S., virtually the same amount as in 2023 when the previous MOVEit vulnerability was exploited.
“The similarities between Censys-observed MOVEit Transfer exposure in 2023 versus 2024 may indicate how vital MOVEit is to the organizations where it is in use,” Censys said.
“While we didn’t necessarily expect a drastic drop in MOVEit Transfer exposure following the 2023 campaign by Clop, the similarity in the exposure numbers serves as a reminder that once enterprise software is in place, it often stays in place, even in the face of massive exploitation.”
During the previous incident, thousands of governments, corporations and large organizations across the globe reported widespread theft of data by Clop, a Russian-speaking ransomware gang.
Security firm Emsisoft estimates that more than 62 million people and 2,000 organizations were affected by the MOVEit breaches in 2023. One of the lawyers for a class action suit against Progress Software previously told Recorded Future News that the breach was a “cybersecurity disaster of staggering proportions.”
Progress Software said in regulatory filings last year that it is facing 58 class action lawsuits as well as federal, state and international investigations due to the string of breaches tied to MOVEit.
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.