cbcvebase.
CVE-2024-5806
published 2024-06-25

CVE-2024-5806: Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass.This issue affects MOVEit Transfer: from…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
75.81%
99.5th percentile
Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, from 2024.0.0 before 2024.0.2.

Affected

4 ranges
VendorProductVersion rangeFixed in
progressmoveit_transfer
progressmoveit_transfer>= 2023.0.0 < 2023.0.112023.0.11
progressmoveit_transfer>= 2023.1.0 < 2023.1.62023.1.6
progressmoveit_transfer>= 2024.0.0 < 2024.0.22024.0.2

Detection & IOCsextracted from sources · hover to see the quote

url/guestaccess.aspx
other&Arg12=
pathmodules/auxiliary/gather/progress_moveit_sftp_fileread_cve_2024_5806.rb
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT MoveIT Transfer SFTP Authentication Bypass Attempt Inbound M0 (CVE-2024-5806)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/guestaccess.aspx"; fast_pattern; http.request_body; content:"&Arg12="; pcre:"/^\r?\n?\x2d{4}/R"; reference:cve,2024-5806; reference:url,labs.watchtowr.com/auth-bypass-in-un-limited-scenarios-progress-moveit-transfer-cve-2024-5806/; classtype:attempted-admin; sid:2053883; rev:1; metadata:created_at 2024_06_26, cve CVE_2024_5806, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_06_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Look for HTTP POST requests to /guestaccess.aspx with a request body containing '&Arg12=' followed by a boundary-like pattern (4 dashes) — this is the exploit trigger pattern identified in the ET rule for CVE-2024-5806.
  • The Shadowserver Foundation observed in-the-wild exploitation attempts against CVE-2024-5806 shortly after public disclosure — monitor SFTP service logs on MOVEit Transfer for anomalous authentication events.
  • A public PoC exploit exists for CVE-2024-5806; treat any unpatched MOVEit Transfer SFTP service as actively targeted and prioritize patching to 2023.0.11, 2023.1.6, or 2024.0.2.
  • The Metasploit module for CVE-2024-5806 can establish an authenticated SFTP session and perform arbitrary file reads — monitor for unexpected SFTP directory listings or file reads from unauthenticated or anomalous source IPs.
  • Check Point IPS signature 'Progress MOVEit Transfer Authentication Bypass (CVE-2024-5806)' is available for network-level blocking of exploitation attempts.
  • ·The vulnerability affects the MOVEit Transfer SFTP module specifically; the affected version ranges are 2023.0.0–2023.0.10, 2023.1.0–2023.1.5, and 2024.0.0–2024.0.1. Deployments outside these ranges are not listed as affected.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.