Progress Software Corp. has disclosed a critical vulnerability in its MOVEit service, which organizations use to share files with one another.

The company detailed the flaw on Tuesday. It also disclosed an exploit in MOVEit Gateway, a cybersecurity product that some organizations use together with the file transfer service. The day after Progress made the vulnerabilities public, BleepingComputer reported that hackers have begun launching cyberattacks against affected customers. 

The development comes less than a year after a ransomware gang used an earlier, since-patched MOVEit flaw to launch cyberattacks against the service’s users. The hacking campaign is believed to have compromised more than 2,000 organizations.

Burlington, Massachusetts-based Progress is a major provider of software development tools. It obtained MOVEit through a 2019 acquisition. The service allows organizations to exchange data with one another in a manner that complies with GDPR, the healthcare sector’s HIPAA cybersecurity regulation and other data protection rules.

The MOVEit vulnerability that Progress disclosed this week received a severity score of 9.1 out of 10. It allows hackers to bypass the platform’s authentication mechanism and log into user accounts. They can then use those accounts to download, modify or delete data.

The vulnerability affects the component of MOVEit that powers its SFTP, or Secure File Transfer Protocol, features. SFTP is a networking technology that makes it possible to transfer files between systems over encrypted connections. It’s commonly used by healthcare organizations to exchange data with one another in a manner that complies with HIPPA.

Before making the security flaw public, Progress released a patch for the SFTP module. However, the company warned that an issue in a third-party software product used by MOVEit may decrease the effectiveness of the fix. “While the patch distributed by Progress on June 11th successfully remediates the issue identified in CVE-2024-5806, this newly disclosed third-party vulnerability introduces new risk,” Progress detailed.

Cybersecurity company watchTowr Labs identified the third-party component as IPWorks SSH. This is a software tool for implementing the SSH secure networking protocol. SFTP, the networking technology that MOVEit uses to facilitate file transfer over encryption connections, is based on SSH.

According to watchTowr, there are two ways for hackers to exploit the vulnerability. The first method, which poses a more severe risk to affected organizations, requires only the username of an account in the targeted MOVEit environment. Hackers don’t have to install any malware to gain access, which makes cyberattacks easier to launch in certain respects.

But there are also several factors that will complicate attempts to take over MOVEit accounts. Many organizations that use the file transfer service only authorize login attempts from devices with known IP addresses. According to watchTowr, hackers would have to find a way of bypassing those login restrictions before using the hacking tactic.

It’s believed that the second way of targeting the MOVEit vulnerability is less likely to be usable in practice. According to watchTowr, the technique allows hackers to obtain hashes of MOVEit users’ passwords. A hash is a piece of data that acts as a kind of placeholder for another record and can sometimes be reverse-engineered to extract the original information, in this case a password.

Progress disclosed the vulnerability alongside a flaw in MOVEit Gateway, an add-on product for the file transfer service. It’s a proxy that allows companies to isolate their on-premises MOVEit environments from the public web. The newly disclosed vulnerability allows hackers to bypass the proxy’s authentication mechanism. 

The flaw affects only a single version of MOVEit Gateway, which is expected to limit its severity. Progress made a patch available to customers before publicly disclosing the vulnerability. 

Image: Unsplash