MOVEit Automation Auth Bypass: Patching & Detection Strategies
Heads up, everyone. Just saw the alert regarding Progress Software releasing updates for MOVEit Automation. Given the history with MOVEit Transfer, seeing another critical vulnerability—this time an authentication bypass—is concerning.
The flaw affects MOVEit Automation (formerly Central). It allows threat actors to bypass authentication entirely. Since this product is often used to bridge gaps between enterprise systems and automate sensitive file transfers without scripts, a compromise here could be devastating for supply chain integrity.
We are currently inventorying instances. If you are using this, assume the web interface is exposed until patched.
I've written a quick PowerShell snippet to help identify installed versions on Windows hosts so you can cross-reference with the Progress advisory:
$regPath = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*"
Get-ItemProperty $regPath |
Where-Object { $_.DisplayName -match "MOVEit" -and $_.DisplayName -match "Automation" } |
Select-Object DisplayName, DisplayVersion, InstallDate
For detection, you should be hunting for administrative API calls or successful file transfers originating from IPs that don't match your known partner IP ranges.
How is everyone handling the validation of these automation scripts post-patch? I'm worried about regression in our scheduled workflows.
We use Sumo Logic for visibility. We immediately set up a rule for HTTP 200 status codes on the root path of the Automation dashboard where the 'Authorization' header is missing or uses a null session. It’s a crude heuristic, but given the auth bypass nature, successful requests without valid headers are a major red flag right now.
MFT patching is always a game of Russian Roulette with client uptime. We are advising clients to restrict access to the web interface via firewall rules (IP whitelisting) immediately as a temporary mitigation while we schedule the maintenance windows. You can't rely on the app's auth if the bug bypasses it. Network segmentation is your friend here.
I'd recommend checking for the creation of new 'Scheduler' tasks in your audit logs. If an attacker gets in, they aren't just looking at files; they will likely persist by scheduling a malicious job to exfiltrate data later. Look for recently modified tasks in the database or the UI that weren't created by your admin staff.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access