Join us at Hacker Summer Camp in Las Vegas! Let's Connect

How to find MOVEit file transfer services on your network

HD Moore
Rob King
Tom Sellers
Updated

Latest MOVEit Managed File Transfer service vulnerability: CVE-2024-5805 and CVE-2024-5806 (June 2024) #

Progress software has disclosed two new vulnerabilities in the MOVEit Gateway (CVE-2024-5805) and MOVEit Transfer (CVE-2024-5806) products. 

These vulnerabilities affect the SFTP (Secure File Transfer Protocol) module of the MOVEit Gateway and MOVEit Transfer products. Attackers may exploit these vulnerabilities to bypass authentication on vulnerable systems, gaining unauthorized access to these systems.

Note that these vulnerabilities further underscore the uptick in attacks on border devices described in the runZero Research Report. Attacks on this class of device have been especially prevalent recently, as they often provide high-value targets that can reveal large amounts of critical and private information to attackers.

What is the impact? #

Successful exploitation of these vulnerabilities would allow an attacker to access the vulnerable system without authentication. Note that, according to several sources including Watchtowr Labs, exploit information for this vulnerability is publicly available.

How runZero users can find potentially vulnerable Progress MOVEit Gateway services #

From the Service inventory, runZero users took the following query to locate all Progress MOVEit Gateway web services across their network:

    product:MOVEit

CVE-2023-34362 (June 2023) #

Reports of active exploitation of a zero-day vulnerability in the MOVEit file transfer software made the rounds in June 2023. The vendor, Progress Software, released an advisory and the issue was assigned CVE-2023-34362. Attackers were abusing a SQL injection vulnerability in the web interface of MOVEit to deploy a web shell and gain access to the data stored within the platform.

What was the impact? #

Multiple security service providers, including Rapid7, reported active exploitation of this issue, with the attack resulting in the installation of a 'web shell', often accessed through the path '/human2.aspx'. Progress Software's advisory stated that users should have looked for indicators of compromise (IoCs) going back at least 30 days, indicating that this issue might have been actively exploitable for weeks and had only just come to light. A compromise of the MOVEit server could lead to full exposure of all files managed by the service, access to the user database of the service, and could provide a foothold into the organization's network, depending on network segmentation rules.

On May 31st, 2023, Progress posted an advisory, including a download link to a patch. This advisory also described some of the indicators of compromise and what paths and types of logs to look for to determine if the system was breached.

How runZero users found potentially vulnerable Progress MOVEit Managed File Transfer services #

From the Service inventory, runZero users took the following prebuilt query to locate all Progress MOVEit Managed File Transfer web services across their network:

_asset.protocol:http protocol:http (http.head.setCookie:"MIDMZLang" OR favicon.ico.image.md5:9dffe2772e6553e2bb480dde2fe0c4a6)
Progress Software MOVEit Managed File Transfer web service query

As always, any pre-built queries are available from your runZero console. Check out the documentation for other useful inventory queries.

Written by HD Moore

HD Moore is the co-founder and CEO of runZero. Previously, he founded the Metasploit Project and served as the main developer of the Metasploit Framework, which is the world's most widely used penetration testing framework.
More about HD Moore

Written by Rob King

Rob King is the Director of Security Research at runZero. Over his career Rob has served as a senior researcher with KoreLogic, the architect for TippingPoint DVLabs, and helped get several startups off the ground. Rob helped design SC Magazine's Data Leakage Prevention Product of the Year for 2010, and was awarded the 3Com Innovator of the Year Award in 2009. He has been invited to speak at BlackHat, Shmoocon, SANS Network Security, and USENIX.

More about Rob King

Written by Tom Sellers

Tom Sellers is a Principal Research Engineer at runZero. In his 25 years in IT and Security he has built, broken, and defended networks for companies in the finance, service provider, and security software industries. He has built and operated Internet scale scanning and honeypot projects. He is credited on many patents for network deception techonology. A strong believer in Open Source he has contributed to projects such as Nmap, Metasploit, and Recog.

More about Tom Sellers
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

Related Articles

Rapid Response
How to find PKIX-SSH services on your network
A fork of OpenSSH called PKIX-SSH was impacted by the recently discovered regreSSHion vulnerability. Here's how to find impacted services on your...
Read More
Rapid Response
How to find Westermo devices on your network
Westermo has disclosed several vulnerabilities regarding their Lynx Industrial Ethernet switches. Here's how to find them on your network.
Read More
Rapid Response
How to find Kaspersky products with runZero
The US government has banned the sale of Kaspersky products and services. Here's how to find Kaspersky products in your network.
Read More
Rapid Response
How to find Microsoft Message Queuing (MSMQ) servers on your network
A new pre-auth use-after-free vulnerability in the Microsoft Message Queuing (MSMQ) service is rated critical. Find impacted systems now with runZero.
Read More

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

Try It Free
© Copyright 2024 runZero, Inc. All Rights Reserved