Progress Software has issued an urgent security advisory regarding a critical vulnerability in MOVEit Automation. This is distinct from the widely reported MOVEit Transfer vulnerabilities; this specific flaw affects the Automation product (formerly Globalscape EFT). Tracked as CVE-2024-5806, this vulnerability carries a CVSS score of 10.0 (Critical). It is an authentication bypass vulnerability that allows unauthenticated remote attackers to gain administrative access to the system. Given the prevalence of MOVEit in healthcare and enterprise environments for managed file transfers, the risk of data exfiltration and ransomware deployment is imminent. Defender action is required immediately to identify exposure and patch affected instances.
Technical Analysis
- CVE Identifier: CVE-2024-5806
- CVSS Score: 10.0 (Critical)
- Affected Product: MOVEit Automation (formerly Globalscape EFT)
- Affected Versions:
- MOVEit Automation 2023.x before 2023.0.2
- MOVEit Automation 2022.x before 2022.1.1
- MOVEit Automation 2021.x before 2021.1.3
- Vulnerability Type: Authentication Bypass (CWE-287)
- Mechanism: The vulnerability exists in the web interface of MOVEit Automation. An attacker can send a specially crafted HTTP request to the server that bypasses standard authentication checks. Successful exploitation grants the attacker full administrative privileges over the application.
- Exploitation Status: While specific in-the-wild exploitation has not been universally confirmed at the time of this advisory, the severity (CVSS 10.0) and the history of MOVEit exploitation suggest that active scanning and weaponization are likely occurring imminently. Proof-of-concept concepts are circulating within the security community.
Detection & Response
Detecting an authentication bypass without prior knowledge of the specific exploit payload is challenging. The most effective strategy is to hunt for post-exploitation behaviors (such as webshell deployment or administrative process execution) and to monitor for suspicious HTTP traffic patterns targeting the MOVEit Automation management interface.
SIGMA Rules
The following Sigma rules identify suspicious process executions often associated with the weaponization of web vulnerabilities and unauthorized administrative access on MOVEit Automation hosts.
---
title: MOVEit Automation Web Server Spawning Shell
id: 89f3a12d-45b6-4f89-9123-aa456b78c9d1
status: experimental
description: Detects the MOVEit Automation web process (java.exe or eftserver.exe) spawning cmd.exe or powershell.exe, indicative of webshell activity or RCE.
references:
- https://community.progress.com/s/article/ MOVEit-Automation-Critical-Authentication-Bypass-Vulnerability-CVE-2024-5806
author: Security Arsenal
date: 2024/09/17
tags:
- attack.execution
- attack.t1059.001
- attack.t1505.003
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|contains:
- '\MOVEit\'
- '\Globalscape\'
- 'EFTServer.exe'
- 'java.exe' # MOVEit Automation often relies on Java components
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
condition: selection
falsepositives:
- Legitimate administrative troubleshooting (rare)
level: high
---
title: Suspicious MOVEit Automation Administrative Access
id: 1b2c3d4e-5f6g-7h8i-9j0k-1l2m3n4o5p6q
status: experimental
description: Detects successful HTTP 200 responses to MOVEit Automation admin interfaces potentially indicative of successful auth bypass exploitation attempts.
references:
- https://community.progress.com/s/article/MOVEit-Automation-Critical-Authentication-Bypass-Vulnerability-CVE-2024-5806
author: Security Arsenal
date: 2024/09/17
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
product: moveit_automation
detection:
selection:
c-uri|contains:
- '/admin'
- '/api/v1/'
- '/dmzweb/'
sc-status: 200
filter:
c-useragent|contains:
- 'Mozilla'
- 'Progress-Software'
condition: selection and not filter
falsepositives:
- Valid administrative logins from internal IPs
- Monitoring probes
level: medium
KQL (Microsoft Sentinel / Defender)
This query hunts for suspicious process creation patterns related to MOVEit Automation exploitation and checks for successful connections to the administrative interface.
// Hunt for suspicious process spawns by MOVEit components
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFolderPath has_any ("MOVEit", "Globalscape", "EFTServer", "Program Files\\Java")
and (ProcessVersionInfoOriginalFileName in ("cmd.exe", "powershell.exe", "pwsh.exe")
or FolderPath endswith @"\cmd.exe"
or FolderPath endswith @"\powershell.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, CommandLine
| extend AlertContext = "Potential RCE via MOVEit Automation"
// Correlate with network connections if possible (requires Syslog/CEF for web logs)
union isfuzzy=true
(Syslog
| where TimeGenerated > ago(24h)
| where SyslogMessage contains "MOVEit"
| where SyslogMessage has "200"
| where SyslogMessage has_any ("/admin", "/api/v1")
| project TimeGenerated, Computer, ProcessName, SyslogMessage)
Velociraptor VQL
This artifact hunts for file modifications in the MOVEit Automation directories and unusual process executions that often follow a successful authentication bypass.
-- Hunt for suspicious processes and file artifacts related to MOVEit Automation
SELECT
Pid,
Name,
CommandLine,
Exe,
Username,
ParentPid
FROM pslist()
WHERE Exe =~ "MOVEit"
OR Exe =~ "EFTServer"
OR Exe =~ "Globalscape"
-- Cross-reference with suspicious child processes (like cmd/powershell)
LET SuspiciousChildren = SELECT Pid, Name, Exe, CommandLine, Parent.Pid AS ParentPid
FROM pslist()
WHERE Name =~ "cmd.exe"
OR Name =~ "powershell.exe"
SELECT
Parent.Name AS ParentProcess,
Child.Name AS ChildProcess,
Child.CommandLine
FROM foreach(row={
SELECT Pid FROM pslist() WHERE Exe =~ "MOVEit" OR Exe =~ "EFTServer"
},
query={
SELECT * FROM SuspiciousChildren WHERE ParentPid = _Pid
})
Remediation Script (PowerShell)
Use this script to audit the installed version of MOVEit Automation on Windows Servers against the patched versions.
# MOVEit Automation CVE-2024-5806 Vulnerability Audit Script
# Run as Administrator on the MOVEit Automation server
$ErrorActionPreference = "Stop"
Write-Host "[*] Checking for MOVEit Automation installation..."
# Common registry paths for MOVEit Automation (formerly Globalscape)
$registryPaths = @(
"HKLM:\SOFTWARE\Wow6432Node\Progress\MOVEit Automation",
"HKLM:\SOFTWARE\Wow6432Node\Globalscape\EFT Server",
"HKLM:\SOFTWARE\Progress\MOVEit Automation"
)
$found = $false
foreach ($path in $registryPaths) {
if (Test-Path $path) {
$found = $true
Write-Host "[+] Registry path found: $path"
# Attempt to get version from registry
$version = (Get-ItemProperty -Path $path -ErrorAction SilentlyContinue)."Version"
# Fallback: Check executable file version if registry fails or is missing detail
$installPath = (Get-ItemProperty -Path $path -ErrorAction SilentlyContinue)."Install Path"
if (-not $version -and $installPath -and (Test-Path "$installPath\EFTServer.exe")) {
$version = (Get-Item "$installPath\EFTServer.exe").VersionInfo.FileVersion
Write-Host "[+] Version detected via EFTServer.exe: $version"
} elseif ($version) {
Write-Host "[+] Version detected via Registry: $version"
}
if ($version) {
$v = [version]$version
# Check against vulnerable ranges (CVE-2024-5806)
# Affected: 2023 < 2023.0.2, 2022 < 2022.1.1, 2021 < 2021.1.3
$isVulnerable = $false
if ($v.Major -eq 2023 -and $v.Minor -eq 0 -and $v.Build -lt 2) { $isVulnerable = $true }
if ($v.Major -eq 2022 -and $v.Minor -eq 1 -and $v.Build -lt 1) { $isVulnerable = $true }
if ($v.Major -eq 2021 -and $v.Minor -eq 1 -and $v.Build -lt 3) { $isVulnerable = $true }
# Older versions are assumed vulnerable
if ($v.Major -lt 2021) { $isVulnerable = $true }
if ($isVulnerable) {
Write-Host "[!] ALERT: Vulnerable version of MOVEit Automation detected! (CVE-2024-5806)" -ForegroundColor Red
} else {
Write-Host "[OK] Version appears to be patched or not in the vulnerable range." -ForegroundColor Green
}
}
}
}
if (-not $found) {
Write-Host "[-] MOVEit Automation registry paths not found."
}
Remediation
-
Patch Immediately: Apply the updates provided by Progress Software to reach the following patched versions:
- MOVEit Automation 2023: Upgrade to 2023.0.2 or later.
- MOVEit Automation 2022: Upgrade to 2022.1.1 or later.
- MOVEit Automation 2021: Upgrade to 2021.1.3 or later.
-
Vendor Advisory: Review the official Progress Security Advisory for detailed download links and installation instructions.
- Source: Progress Security Advisory
-
Network Segmentation (Workaround): If immediate patching is not feasible, restrict access to the MOVEit Automation web interface (
/dmzweb,/admin, API endpoints) strictly to known, trusted internal IP addresses via firewall rules. The vulnerability is remotely exploitable over the network; removing internet exposure is a critical temporary mitigation. -
Credential Rotation: If your systems were running a vulnerable version and exposed to the internet, assume potential compromise. Rotate all administrative credentials and API keys associated with the MOVEit Automation instance.
-
Log Review: Conduct a thorough review of IIS/Java and MOVEit Automation logs for the past 30 days. Look for unauthorized administrative actions or suspicious POST requests that did not originate from internal IP ranges.
Related Resources
Security Arsenal Alert Triage Automation AlertMonitor Platform Book a SOC Assessment platform Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.