Threat actors are attempting to exploit a recently patched vulnerability in Progress Software’s MOVEit Transfer and MOVEit Cloud-managed file transfer solutions.

Tracked as CVE-2024-5806, the flaw is an improper authentication issue in the SFTP module in guestaccess.aspx. A remote non-authenticated attacker can send a specially crafted HTTP POST request to bypass authentication process and gain unauthorized access to the system. The vulnerability impacts MOVEit Transfer from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, from 2024.0.0 before 2024.0.2.

Just hours after the flaw was made public, multiple exploitation attempts have been observed.

“Very shortly after vulnerability details were published today we started observing Progress MOVEit Transfer CVE-2024-5806 POST /guestaccess.aspx exploit attempts,” The Shadowserver Foundation, a nonptofit that gather, track, and report on malware, botnet activity, and electronic fraud, wrote in a post on X (formerly Twitter).

The flaw was reported to Progress Software earlier this month and the company has released a patch to address the issue. Users are recommended to upgrade to the latest fixed version or to take the following steps to mitigate the third-party vulnerability:

• Block public inbound RDP access to MOVEit Transfer server(s)

• Limit outbound access to only known trusted endpoints from MOVEit Transfer server(s).

Earlier this week, a surge in cyberattacks that target end-of-life Zyxel NAS devices by exploiting recently disclosed vulnerabilities has been observed. The attacks come just weeks after three high-severity Zyxel NAS vulnerabilities were publicly disclosed. According to Shadowserver, the flaw under attacks is CVE-2024-29973, an OS command injection vulnerability that allows remote command execution. The vulnerability affects Zyxel NAS326 and NAS542 devices.