Progress Software has issued a critical security advisory warning of a severe authentication bypass vulnerability, tracked as CVE-2024-5806, affecting its MOVEit Automation enterprise Managed File Transfer (MFT) platform. Given the high-value targets often utilizing MFT solutions and the historical weaponization of MOVEit vulnerabilities, defenders must treat this as an imminent threat to data integrity and availability. This flaw allows unauthenticated attackers to bypass the login interface entirely and gain administrative control over the affected instance.
If your organization relies on MOVEit Automation (formerly Tumbleweed/MOVEit DMZ), immediate patching is non-negotiable. An exploit leveraging this flaw provides an attacker with the keys to the kingdom—access to sensitive file transfers, partner credentials, and a potential pivot point into the internal network.
Technical Analysis
- Affected Products: MOVEit Automation (formerly MOVEit DMZ).
- Affected Versions:
- 2023.0.x versions prior to 2023.0.6
- 2023.1.x versions prior to 2023.1.4
- 2024.0.x versions prior to 2024.0.2
- CVE Identifier: CVE-2024-5806
- CVSS Score: 9.8 (Critical)
Vulnerability Mechanics: CVE-2024-5806 is an authentication bypass vulnerability residing in the MOVEit Automation web interface. Specifically, the flaw allows an unauthenticated remote attacker to send a crafted request to the application that validates as a legitimate administrative session without providing credentials. This is not a brute-force attack; it is a logic flaw that grants immediate, high-privileged access to the management console.
Exploitation Status: While widespread mass exploitation has not yet been reported at the time of this advisory, the public disclosure of a critical auth bypass in a known target usually leads to active scanning and exploitation within 24 to 48 hours. The vulnerability is theoretically easy to exploit, requiring only an HTTP request to the vulnerable endpoint.
Detection & Response
Detecting an authentication bypass is challenging because the logs may show a successful "login" without a failed attempt precursor. Defenders must look for administrative actions performed by users without corresponding typical logon patterns or geographic anomalies.
SIGMA Rules
---
title: MOVEit Automation Service Spawning Shell
id: 8a4b2c19-0d72-4e3a-a8c5-1d2f3b4c5d6e
status: experimental
description: Detects the MOVEit Automation service process spawning cmd.exe or powershell.exe, indicating potential post-exploitation activity or webshell execution.
references:
- https://progress.com/moveit-transfer/security-advisories
author: Security Arsenal
date: 2024/06/12
tags:
- attack.initial_access
- attack.execution
- cve-2024-5806
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|contains: '\MOVEitAutomation\'
ParentImage|endswith:
- '\tmservice.exe'
- '\DMZServer.exe'
selection_child:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
condition: all of selection*
falsepositives:
- Legitimate administrative debugging (rare)
level: critical
---
title: MOVEit Automation Anomalous Admin Access
id: 9c5d3e20-1e83-5f4b-bc12-3e5a8f901234
status: experimental
description: Detects successful authentication to MOVEit Automation web interface followed immediately by sensitive administrative modifications, useful for spotting bypass exploits.
references:
- https://attack.mitre.org/techniques/T1078/
author: Security Arsenal
date: 2024/06/12
tags:
- attack.defense_evasion
- attack.persistence
logsource:
category: webserver
product: moveit_automation
detection:
selection_uri:
cs-uri-stem|contains:
- '/admin'
- '/api/v1/user'
- '/api/v1/configuration'
selection_status:
sc-status: 200
condition: all of selection_*
falsepositives:
- Legitimate administrator configuration changes
level: high
KQL (Microsoft Sentinel / Defender)
// Hunt for suspicious administrative access patterns in MOVEit Automation
// Note: Adjust the 'ServiceName' and 'LogSource' based on your specific ingestion (IIS, Syslog, or CEF)
DeviceNetworkEvents
| where RemotePort == 443
| where Url contains "moveit"
| where Url contains "/admin" or Url contains "/api/v1"
| where ActionType == "ConnectionAccepted" or InitiatingProcessFileName == "java.exe"
| summarize Count = count(), ConnectionTimes = make_list(TimeGenerated), IPs = make_list(RemoteIP) by DeviceName, Url
| where Count > 10 // Threshold for anomaly detection
| project DeviceName, Url, Count, IPs, ConnectionTimes
Velociraptor VQL
-- Hunt for MOVEit Automation process anomalies
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ 'tmservice'
OR Name =~ 'DMZServer'
;
-- Check for unexpected child processes spawned by MOVEit
SELECT Parent.Name AS ParentProcess, Child.Name, Child.CommandLine, Child.Pid
FROM pslist(pid=ParentPid)
LEFT JOIN pslist() AS Child ON Child.Ppid = Parent.Pid
WHERE Parent.Name =~ 'tmservice'
AND Child.Name NOT IN ('tmservice.exe', 'conhost.exe', 'svchost.exe')
Remediation Script (PowerShell)
<#
.SYNOPSIS
Check MOVEit Automation Version for CVE-2024-5806 vulnerability.
.DESCRIPTION
This script checks the installed version of MOVEit Automation against vulnerable ranges.
#>
$vulnerableVersions = @(
@{Name="2023.0.0"; Fixed="2023.0.6"},
@{Name="2023.1.0"; Fixed="2023.1.4"},
@{Name="2024.0.0"; Fixed="2024.0.2"}
)
# Common installation paths
$paths = @(
"C:\Program Files (x86)\Progress\MOVEit Automation\",
"C:\Program Files\Progress\MOVEit Automation\",
"C:\Program Files (x86)\Tumbleweed\SecureTransport\"
)
$found = $false
foreach ($path in $paths) {
if (Test-Path $path) {
$found = $true
Write-Host "[+] Found MOVEit installation at: $path" -ForegroundColor Cyan
# Attempt to get version from executable (tmservice.exe is a common binary)
$exePath = Join-Path -Path $path -ChildPath "tmservice.exe"
if (Test-Path $exePath) {
$versionInfo = (Get-Item $exePath).VersionInfo
$fileVersion = "$($versionInfo.FileMajorPart).$($versionInfo.FileMinorPart).$($versionInfo.FileBuildPart).$($versionInfo.FilePrivatePart)"
Write-Host " Current Version: $fileVersion" -ForegroundColor Yellow
# Simple check logic (Adjust based on exact FileVersion string returned)
if ([version]$fileVersion -lt [version]"2024.0.2" -and [version]$fileVersion -ge [version]"2024.0.0") {
Write-Host " [ALERT] Vulnerable to CVE-2024-5806. Upgrade to 2024.0.2 or later." -ForegroundColor Red
}
elseif ([version]$fileVersion -lt [version]"2023.1.4" -and [version]$fileVersion -ge [version]"2023.1.0") {
Write-Host " [ALERT] Vulnerable to CVE-2024-5806. Upgrade to 2023.1.4 or later." -ForegroundColor Red
}
elseif ([version]$fileVersion -lt [version]"2023.0.6" -and [version]$fileVersion -ge [version]"2023.0.0") {
Write-Host " [ALERT] Vulnerable to CVE-2024-5806. Upgrade to 2023.0.6 or later." -ForegroundColor Red
}
else {
Write-Host " [INFO] Version appears patched or out of scope." -ForegroundColor Green
}
} else {
Write-Host " [WARN] Could not find tmservice.exe to verify version." -ForegroundColor DarkYellow
}
}
}
if (-not $found) {
Write-Host "[INFO] No MOVEit Automation installation found in standard paths." -ForegroundColor Gray
}
Remediation
-
Patch Immediately: Apply the updates provided by Progress Software to reach the fixed versions:
- Upgrade to 2023.0.6 or later
- Upgrade to 2023.1.4 or later
- Upgrade to 2024.0.2 or later
-
Official Advisory: Refer to the Progress Security Advisory for detailed download links and checksums: Progress MOVEit Automation Security Advisory.
-
Network Isolation: If immediate patching is not possible, restrict access to the MOVEit Automation web interface (
/admin,/api) to specific, trusted management IP ranges via firewall or WAF rules. Do not expose the management interface directly to the public internet. -
Audit Logs: While moving to patch, review MOVEit Automation logs for any unauthorized administrative changes or user creation events.
Related Resources
Security Arsenal Red Team Services AlertMonitor Platform Book a SOC Assessment pen-testing Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.