Progress Software patches fresh vulnerability in its MOVEit file transfer software

Progress Software, the developer of the MOVEit Transfer file transfer software, said it has patched a new vulnerability in the file transfer application that allowed hackers to bypass the authentication process in the Secure File Transfer Protocol.

 

In a recent advisory, Progress Software said it recently identified a new vulnerability, assigned CVE-2024-5806, in the file transfer application which threat actors could exploit to bypass the authentication process in the Secure File Transfer Protocol (SFTP) module, which is responsible for file transfer operations over SSH.

 

“This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, from 2024.0.0 before 2024.0.2,” reads the advisory.

 

The company has released security patches and has urged all “MOVEit Transfer customers on versions 2023.0, 2023.1 and 2024.0 to upgrade to the latest patched version immediately, and also to apply the mitigation steps for the third-party vulnerability listed below.”

 

In a separate advisory, the company said it identified another vulnerability in a third-party component used in MOVEit Transfer that “elevates the risk of the original issue mentioned above if left unpatched.” 

 

“While the patch distributed by Progress on June 11th successfully remediates the issue identified in CVE-2024-5806, this newly disclosed third-party vulnerability introduces new risk,” Progress Software warned.

 

While the company did not name the third party vendor, it said that when the vendor releases a fix, it will make that available to MOVEit Transfer customers.

 

In a statement shared with the Recorded Future News before the updated advisory was published, a spokesperson for Progress Software said the vulnerability affects MOVEit Transfer and MOVEit Gateway — two of the company’s flagship products that are used to transfer files.

 

“Currently, we have not received any reports that these vulnerabilities have been exploited and we are not aware of any direct operational impact to customers,” the spokesperson said. “To be clear, these vulnerabilities are not related to the zero-day MOVEit Transfer vulnerability we reported in May 2023.”