CVE-2024-5806

CRITICAL EXPLOITED

Progress MOVEit SFTP Authentication Bypass for Arbitrary File Read

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2024-5806 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including watchtowrlabs, sec13b, sfewer-r7, including a Metasploit module auxiliary/gather/progress_moveit_sftp_fileread_cve_2024_5806.

AI-analyzed exploit summary This is a functional exploit for CVE-2024-5806, an authentication bypass vulnerability in Progress MOVEit Transfer. It leverages log poisoning to bypass SFTP authentication and impersonate arbitrary users.

Description

Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, from 2024.0.0 before 2024.0.2.

Exploits (3)

nomisec WORKING POC 45 stars
by watchtowrlabs · remote
https://github.com/watchtowrlabs/watchTowr-vs-progress-moveit_CVE-2024-5806

This is a functional exploit for CVE-2024-5806, an authentication bypass vulnerability in Progress MOVEit Transfer. It leverages log poisoning to bypass SFTP authentication and impersonate arbitrary users.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Progress MOVEit Transfer (versions before 2024.0.2)
No auth needed
Prerequisites: SSH key pair (PEM and PPK formats) · Network access to target SFTP and web ports
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by sec13b · remote
https://github.com/sec13b/CVE-2024-5806

This exploit leverages an authentication bypass vulnerability in Progress MoveIT Transfer by poisoning log files with attacker-controlled SSH public keys, then using Paramiko to authenticate via SFTP. The PoC automates key generation and log poisoning to achieve unauthorized access.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Progress MoveIT Transfer (version not specified)
No auth needed
Prerequisites: Network access to target · SFTP and web ports open · Ability to write to log files
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
by sfewer-r7 · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/progress_moveit_sftp_fileread_cve_2024_5806.rb

This Metasploit module exploits CVE-2024-5806, an authentication bypass vulnerability in Progress MOVEit Transfer SFTP service, allowing arbitrary file read by manipulating the SSH publickey authentication process.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Progress MOVEit Transfer 2023.0.x (before 2023.0.11), 2023.1.x (before 2023.1.6), 2024.0.x (before 2024.0.2)
No auth needed
Prerequisites: Network access to the SFTP service (port 22) · Valid username for the MOVEit Transfer instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.1
EPSS 0.7581
EPSS Percentile 99.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

VulnCheck KEV 2024-06-25
CWE
CWE-287
Status published
Products (2)
progress/moveit_transfer 2024.0.0
progress/moveit_transfer 2023.0.0 - 2023.0.11
Published Jun 25, 2024
Tracked Since Feb 18, 2026