What We Do
How We Do
Get Started
Security advisories

MOVEit Authentication Bypass Vulnerability

June 26, 2024 | 2 MINS READ

Speak With A Security Expert Now



eSentire is aware of claims that the MOVEit Transfer authentication bypass vulnerability CVE-2024-5806 is now under active exploitation. CVE-2024-5806 (CVSS: 9.1) was publicly disclosed on June 25th, along with security patches. Exploitation of the vulnerability would allow a remote and unauthenticated threat actor to access, modify, and steal sensitive data stored on MOVEit Transfer servers.

Proof-of-Concept (PoC) exploit code, along with technical details on the vulnerability, were disclosed on June 25th. On the same day, the non-profit organization Shadowserver reported observing exploitation attempts. Post-exploitation activity and attacker objectives have not been released at the time of writing. The eSentire Threat Intelligence team assesses that immediate widespread exploitation of CVE-2024-5806 is probable due to the impact of exploitation, exploit code availability, prevalence of vulnerable devices, and the history of threat actors exploiting MOVEit vulnerabilities. As such, the immediate patching of impacted devices is strongly recommended.

What we’re doing about it

What you should do about it

Additional information

CVE-2024-5806 impacts MOVEit Transfer versions “from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, from 2024.0.0 before 2024.0.2.” Upgrading to the latest version of MOVEit Transfer mitigates the vulnerability.

While the release of PoC exploit code has simplified the exploitation process, it is still not trivial. There are three requirements for a successful attack: the attacker must know a valid username, the vulnerable device can be authenticated to remotely, and the SFTP server is Internet-facing. As threat actors require valid usernames, it is likely that attacks will involve username spraying to identify valid accounts.

A second critical authentication bypass vulnerability was also disclosed on June 25th. CVE-2024-5805 (CVSS: 9.1): An improper authentication vulnerability in Progress MOVEit Gateway (SFTP module) allows authentication bypass. The vulnerability impacts MOVEit Gateway: 2024.0.0. There is currently no indication that CVE-2024-5805 has been exploited in the wild.

MOVEit vulnerabilities have been heavily targeted by threat actors in the past. In June 2023, eSentire reported on a CLOP (Lace Tempest) extortion group campaign, which involved exploitation of the MOVEit vulnerability CVE-2023-34362 (CVSS: 9.8). The vulnerability was abused to access vulnerable servers and steal victim data. This data was then used as leverage in extortion schemes. As CLOP proved the potential value of this form of attack against MOVEit devices, other threat actors may attempt to imitate the successful campaign by exploiting CVE-2024-5805 or CVE-2024-5806.


[1] https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-June-2024-CVE-2024-5806
[2] https://labs.watchtowr.com/auth-bypass-in-un-limited-scenarios-progress-moveit-transfer-cve-2024-5806/
[3] https://x.com/Shadowserver/status/1805676078620401831
[4] https://www.rapid7.com/blog/post/2024/06/25/etr-authentication-bypasses-in-moveit-transfer-and-moveit-gateway/
[5] https://community.progress.com/s/article/MOVEit-Gateway-Critical-Security-Alert-Bulletin-June-2024-CVE-2024-5805
[6] https://www.esentire.com/security-advisories/update-on-moveit-transfer-vulnerabilities
[7] https://nvd.nist.gov/vuln/detail/CVE-2023-34362

View Most Recent Advisories