New MOVEit Transfer security flaws have been discovered — so patch now

Sead Fadilpašić

27 June 2024 at 10:59 am·2-min read

An abstract image of a lock against a digital background, denoting cybersecurity. — (Image Credit: TheDigitalArtist / Pixabay). | Credit: Pixabay

A new vulnerability in the managed file transfer solution MOVEit Transfer (MFT), which allows threat actors to bypass authentication and tamper with other people’s files as they see fit.

The company disclosed finding the vulnerability earlier this week, but has also revealed a patch is available now, with users advised to apply it immediately and secure their networks.

The vulnerability, described as an improper authentication flaw, is tracked as CVE-2024-5806, and is currently awaiting a severity score. It allows people to work past the authentication process in the Secure File Transfer Protocol (SFTP) module, responsible for transferring files over SSH. Threat actors abusing this flaw are allowed to access data stored on the MFT server, upload, download, delete, or modify files, as well as intercept and tamper with incoming/outgoing file transfers.

Vulnerable instances

Cyber-intelligence platform Censys scanned the internet for exposed MFT instances and found roughly 2,700 of them, mostly located in the US, UK, Germany, Canada, and the Netherlands. However, it is impossible to tell how many of these applied the patch, or how many are vulnerable at this time.

Yet we do know that malicious actors are already on the move. Shadowserver Foundation said it observed multiple threat actors trying to exploit the flaw. It is only logical, given that cybersecurity experts from watchTowr published a proof-of-concept, detailing how an attack might be pulled off.

The vulnerability affects these versions:

2023.0.0 before 2023.0.11

2023.1.0 before 2023.1.6

2024.0.0 before 2024.0.2

Users should patch to versions 2023.0.11, 2023.1.6, and 2024.0.2, all available on the Progress Community portal.

Last year, MFT was at the center of a major security fiasco, after a flaw in the system allowed the Cl0p ransomware group to steal sensitive data from thousands of organizations worldwide.

Via BleepingComputer

More from TechRadar Pro

The MOVEit breach may well have been the biggest cyberattack of the year
Here's a list of the best firewalls today
These are the best endpoint protection tools right now

Tom's Guide
Rumored iPhone 16 camera layout is the right move, even if it’s for the wrong reason
It's looking increasingly likely that Apple is going to change the camera layout on the iPhone 16. It's an improved look, even if it doesn't lend the desired boost to spatial video.
TechRadar
Sure, the iPhone 15 Pro's Action button is great, but Apple should adopt this retro Google Pixel feature
I’d love it if the iPhone 16 took inspiration from this retro Google Pixel feature: squeezable sides.
Tom's Guide
I used this $80 Bluetooth keyboard for a week and it's a game-changer
Logitech has launched a new ultra-portable Bluetooth keyboard that can pair with, and switch between, 3 separate devices.
TechRadar
The latest Google Lens update might bring Circle to Search to many more phones
Clues found in recent Google betas hint at the expansion and we could see a new navigation option for the tool as well.
TechCrunch
SAP, and Oracle, and IBM, oh my! 'Cloud and AI' drive legacy software firms to record valuations
There's something of a trend around legacy software firms and their soaring valuations: Companies founded in dinosaur times are on a tear, evidenced this week with SAP's shares topping $200 for the first time. The Germany-based enterprise software provider was valued at $92 billion two years ago, and $156 billion 12 months back, meaning its market cap has grown more than 50% in the past year alone. CEO Christian Klein has overseen SAP's turnaround since 2020, focusing on helping customers transition to the cloud while striking useful partnerships with hyperscalers such as Google and Nvidia along the way.
Insider Monkey
Salesforce, Inc. (CRM): Is It One of the Best Cloud Computing Stocks to Buy Now?
We recently compiled a list of the 10 Best Cloud Computing Stocks to Buy Now. In this article, we are going to take a look at where Salesforce, Inc. (NYSE:CRM) stands against the other cloud computing stocks. You can also check out the 10 Best Artificial Intelligence Stocks to Buy Under $10 here. Cloud computing […]
INSIDER
After my husband and I stopped wearing our wedding rings, we tried polyamory. 3 years later, we're happily nonmonogamous.
My husband and I were monogamous before we got married. When we stopped wearing our wedding rings, we decided to try polyamory.
The Telegraph
Woman arrested after prison officer filmed allegedly having sex with inmate
A woman has been arrested after footage was widely circulated that appeared to show a prison officer having sex with an inmate.
The Telegraph
‘I’m not going to buy electric again – it’s the worst car I’ve ever had’
Ray Bestwick bought an electric car last May in the hope of hassle-free motoring.
Hello!
Amal Clooney, 46, is glowing in flirty floral dress as she walks hand in hand with George Clooney
George Clooney and his wife, Amal, were spotted in St Tropez this past week, and Amal made the most of the glorious sunshine with a flirty floral mini dress. See the pictures here...
Hello!
Elizabeth Hurley, 59, is a goddess in tiny string bikini
Elizabeth Hurley showed off her incredible physique in a yellow string bikini as she posed for Instagram – and the Gossip Girl actress, 59, looked better than ever. See photos.
Associated Press
An Indian military tank sinks while crossing a river in a region bordering China, killing 5 soldiers
Five Indian soldiers were killed when a military tank they were travelling in sank while crossing a river in the remote region of Ladakh that borders China, officials said Saturday. The tank sank early Saturday due to sudden increase in the water levels of Shyok River during a military training activity, according to an Indian army command center statement. It said the accident took place in Saser Brangsa near the Line of Actual Control that divides India and China in the Ladakh region.
SETHLUI.COM
Guan Huat Yong Tau Foo: 44-year-old YTF stall with super gao laksa broth & over 40 ingredients
The post Guan Huat Yong Tau Foo: 44-year-old YTF stall with super gao laksa broth & over 40 ingredients appeared first on SETHLUI.com.
NY Daily News
Ben Affleck officially moved out of marital home with Jennifer Lopez while she was on vacation
Ben Affleck has made his move-out official, reportedly taking all of his belongings from the Beverly Hills mansion he previously shared with wife Jennifer Lopez. The actor, 51, has been staying alone in a Brentwood rental home for the past month, but recently decided to remove all of his items that remained in Beverly Hills. He’s said to have moved all of his things out of the $60 million ...
INSIDER
How the US Navy tried — and failed — to sink carrier USS America for weeks
The USS America's sinking followed decades of service — and weeks of bombardment. Sinking an aircraft carrier proved harder than the US Navy thought.
The Guardian
‘Sex in an LA spa was strangely wholesome, like an extension of the wellness experience’: This is how we do it in America
Rob used to be hyper-monogamous – but then he met Mikey and discovered a whole world of experimentation
SETHLUI.COM
Mr Egg Fried Rice: Tasty fried rice with massive portions, hidden among HDBs in Bishan
The post Mr Egg Fried Rice: Tasty fried rice with massive portions, hidden among HDBs in Bishan appeared first on SETHLUI.com.
The Telegraph
‘Trillion dollar trainwreck’: US super stealth fighter is eating the next generation
All of a sudden, the US Air Force is considering cancelling a multibillion-dollar effort to develop a new stealth fighter. Citing the high cost of the so-called “Next-Generation Air Dominance” programme and the competing demands of other projects, USAF leaders have warned they may have no choice but to cancel NGAD – and find other ways of winning control of the air in future wars.
Fortune
Nvidia will produce such a massive ‘cash gusher’ that it will have to buy back more stock because all that money has nowhere else to go, analyst says
Melius Research projects Nvidia will generate $270 billion in cash over the next three years, potentially setting the stage for huge shareholder returns.
People
Griff Is Giving Away the Dress She Wore to Open for Taylor Swift: ‘Wanted to Pass It Down’
The singer revealed she is giving away her "But Daddy I Love Him"-inspired dress she wore when she opened at the Eras Tour on June 22

Vulnerable instances

More from TechRadar Pro

Latest stories