CVE-2024-5806 MOVEit Transfer Authentication Bypass / 2024-5805 MOVEit Gateway Authentication Bypass

This advisory is for organizations that use MOVEit Transfer and/or MOVEit Gateway.  If your organization does not use this platform, this notification may be discarded. 



Progress has released patches to address a vulnerability discovered in their MOVEit Transfer and Gateway platforms.  The vulnerability may allow an attacker to bypass the SFTP (Secure File Transfer Protocol) authentication process, allowing them to access to MOVEit Transfer and MOVEit Gateway systems.  Additional research has been done which indicates that this vulnerability may also be used to impersonate any user on the server.


CVE-2024-5806: CVSSv3.1: 9.1

               Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass


CVE-2024-5805: CVSSv3.1: 9.1

               Improper Authentication vulnerability in Progress MOVEit Gateway (SFTP module) allows Authentication Bypass


Affected Platforms

MOVEit Transfer prior to v 2023.0.11

MOVEit Transfer prior to v 2023.1.6

MOVEit Transfer prior to v 2024.0.2

MOVEit Gateway prior to v 2024.0.1



MOVEit Transfer: Patch as noted in:

MOVEit Gateway: Patch as noted in:

Progress notes additional mitigations that should be taken due to an unidentified third-party vulnerability that is related to CVE-2024-5806.  From Progress:


Newly identified 3rd Party Vulnerability


A newly identified vulnerability in a third-party component used in MOVEit Transfer elevates the risk of the original issue mentioned above if left unpatched. While the patch distributed by Progress on June 11th successfully remediates the issue identified in CVE-2024-5806, this newly disclosed third-party vulnerability introduces new risk. Please work with your internal teams to take the following steps to mitigate the third-party vulnerability.”

  • Verify you have blocked public inbound RDP access to MOVEit Transfer Servers
  • Limit outbound access to only known trusted endpoints from the MOVEit Transfer Servers


Additional Resources