🌐 Network

Progress MOVEit Automation β€” Critical Authentication Bypass Vulnerability Disclosed, Patch Immediately

Progress Software has disclosed a critical authentication bypass vulnerability in MOVEit Automation, the workflow automation component of the MOVEit managed file transfer platform. Given MOVEit's history as the most mass-exploited enterprise application of 2023 (Cl0p ransomware, 2,700+ organisations), any new critical vulnerability requires emergency patching. Organisations should apply the patch and review automation workflow configurations before exploitation begins.

4 min read
#moveit#authentication-bypass#managed-file-transfer#critical-vulnerability#progress-software#patch-urgently

Progress Software has disclosed a critical authentication bypass vulnerability in MOVEit Automation β€” the workflow orchestration and task automation component used by organisations to build automated file processing pipelines, scheduled transfers, and integration workflows on top of the MOVEit platform. The vulnerability allows a remote, unauthenticated attacker to authenticate as any user and access the MOVEit Automation administrative interface, including the ability to view, create, modify, and delete automated task definitions, transfer workflows, and sensitive file operation logs.

Given that MOVEit Transfer and MOVEit Automation were the most mass-exploited enterprise applications in 2023 β€” with Cl0p’s SQL injection campaign compromising over 2,700 organisations and exposing data belonging to tens of millions of individuals β€” any critical vulnerability in this platform requires emergency response, not a scheduled patch cycle.

Vulnerability Details

The authentication bypass resides in MOVEit Automation’s session management layer. A crafted HTTP request to a specific MOVEit Automation API endpoint can cause the session validation logic to return an authenticated session context without valid credentials being supplied. The vulnerability is pre-authentication and does not require any prior knowledge of user accounts on the target system.

A patch is available from Progress Software. The advisory does not indicate confirmed exploitation at the time of disclosure, but given the volume of exploitation tooling developed against MOVEit in 2023 and the sustained attacker interest in managed file transfer infrastructure, this window will be narrow.

Specific CVE assignment and CVSS scoring were not yet reflected in NVD at time of writing β€” check the Progress Software security bulletin for the authoritative CVE ID and version specifics.

Affected Versions and Remediation

MOVEit Automation deployments on all versions prior to the patch release are affected. Organisations should:

  1. Identify all MOVEit Automation instances β€” including cloud-hosted deployments via Progress’s MOVEit Cloud service and self-hosted on-premises installations
  2. Apply the available patch from Progress Software’s community portal immediately
  3. Review MOVEit Automation logs for any suspicious API calls or authentication events in the period prior to patching

The patch is available via the Progress Software Customer Community portal. MOVEit Cloud customers were patched automatically β€” self-hosted deployments require manual update.

Why MOVEit Requires Elevated Urgency

The 2023 Cl0p exploitation of MOVEit Transfer demonstrated a systematic capability to scan the internet for vulnerable MOVEit instances and exploit them at industrial scale within days of disclosure. Cl0p’s campaign hit government agencies, financial institutions, healthcare organisations, universities, pension funds, and major corporations β€” the breach at MOVEit was frequently the first notification that the organisation had any exposure.

The pattern that enabled the 2023 compromise was consistent: MOVEit Transfer/Automation servers were internet-accessible, often with minimal additional authentication requirements, and organisations had not treated managed file transfer as a high-risk attack surface. The same conditions may exist today in organisations that have not revisited their MOVEit architecture since 2023.

Organisations using MOVEit should, as part of this patch cycle, also assess:

  • Is MOVEit Automation directly internet-accessible? It should be behind a reverse proxy with IP allowlisting or VPN-restricted access where possible. Automation orchestration endpoints have no requirement to be publicly reachable.
  • Are MOVEit administrative interfaces on a separate network segment from general user access? Administrative access to MOVEit Automation should be restricted to management network IP ranges.
  • Is file transfer logging retained and monitored? MOVEit Automation logs all task execution and file operations β€” these should be ingested into SIEM for anomaly detection.
  • Are transfer destinations and task definitions audited? A post-compromise attacker with MOVEit Automation access could add new transfer destinations exfiltrating files to attacker-controlled endpoints. Review task configurations for any unexpected external transfer destinations.

The disclosure follows a pattern of managed file transfer software being targeted repeatedly. MOVEit, Fortra GoAnywhere, Accellion FTA, and Kiteworks have all faced critical exploited vulnerabilities in the past three years. Organisations that manage sensitive data flows through managed file transfer platforms should plan for continued adversarial interest in this product category.

Share this article