CVE-2024-6576 - Vulnerability Details - OpenCVE

Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Privilege Escalation.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.12, from 2023.1.0 before 2023.1.7, from 2024.0.0 before 2024.0.3.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.04654.

Key SSVC decision points have not yet been added.

Vendors	Products
Progress	Moveit Transfer

Configuration 1 [-]

OR	cpe:2.3:a:progress:moveit_transfer::::::::
	cpe:2.3:a:progress:moveit_transfer::::::::
	cpe:2.3:a:progress:moveit_transfer::::::::

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Progress	Moveit Transfer

Advisories

Source	ID	Title
EUVD	EUVD-2024-47648	Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Privilege Escalation.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.12, from 2023.1.0 before 2023.1.7, from 2024.0.0 before 2024.0.3.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-July-2024-CVE-2024-6576
https://www.progress.com/moveit

History

Fri, 01 Aug 2025 20:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:progress:moveit_transfer::::::::

MITRE

Status: PUBLISHED

Assigner: ProgressSoftware

Published: 2024-07-29T13:46:32.409Z

Updated: 2024-08-01T21:41:03.876Z

Reserved: 2024-07-08T17:38:23.180Z

Link: CVE-2024-6576

Vulnrichment

Updated: 2024-08-01T21:41:03.876Z

NVD

Status : Analyzed

Published: 2024-07-29T14:15:04.190

Modified: 2025-08-01T20:39:00.850

Link: CVE-2024-6576

Redhat

No data.

OpenCVE Enrichment

Updated: 2025-07-12T22:01:21Z

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-6576", "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "state": "PUBLISHED", "assignerShortName": "ProgressSoftware", "dateReserved": "2024-07-08T17:38:23.180Z", "datePublished": "2024-07-29T13:46:32.409Z", "dateUpdated": "2024-08-01T21:41:03.876Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["SFTP"], "platforms": ["Windows"], "product": "MOVEit Transfer", "vendor": "Progress", "versions": [{"lessThan": "2023.0.12", "status": "affected", "version": "2023.0.0", "versionType": "semver"}, {"lessThan": "2023.1.7", "status": "affected", "version": "2023.1.0", "versionType": "semver"}, {"lessThan": "2024.0.3", "status": "affected", "version": "2024.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Discovered Internally"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Privilege Escalation.<p>This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.12, from 2023.1.0 before 2023.1.7, from 2024.0.0 before 2024.0.3.</p>"}], "value": "Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Privilege Escalation.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.12, from 2023.1.0 before 2023.1.7, from 2024.0.0 before 2024.0.3."}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "description": "CWE-287 Improper Authentication", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware", "dateUpdated": "2024-07-29T13:46:32.409Z"}, "references": [{"tags": ["product"], "url": "https://www.progress.com/moveit"}, {"tags": ["vendor-advisory"], "url": "https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-July-2024-CVE-2024-6576"}], "source": {"discovery": "UNKNOWN"}, "title": "MOVEit Transfer Privilege Escalation Vulnerability", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "progress", "product": "moveit_transfer", "cpes": ["cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "2023.0.0", "status": "affected", "lessThan": "2023.0.12", "versionType": "semver"}, {"version": "2023.1.0", "status": "affected", "lessThan": "2023.1.7", "versionType": "semver"}, {"version": "2024.0.0", "status": "affected", "lessThan": "2024.0.3", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-29T15:51:24.094046Z", "id": "CVE-2024-6576", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-29T16:07:10.830Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:41:03.876Z"}, "title": "CVE Program Container", "references": [{"tags": ["product", "x_transferred"], "url": "https://www.progress.com/moveit"}, {"tags": ["vendor-advisory", "x_transferred"], "url": "https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-July-2024-CVE-2024-6576"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.progress.com/moveit", "tags": ["product", "x_transferred"]}, {"url": "https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-July-2024-CVE-2024-6576", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:41:03.876Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-6576", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-29T15:51:24.094046Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*"], "vendor": "progress", "product": "moveit_transfer", "versions": [{"status": "affected", "version": "2023.0.0", "lessThan": "2023.0.12", "versionType": "semver"}, {"status": "affected", "version": "2023.1.0", "lessThan": "2023.1.7", "versionType": "semver"}, {"status": "affected", "version": "2024.0.0", "lessThan": "2024.0.3", "versionType": "semver"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-29T16:00:18.817Z"}}], "cna": {"title": "MOVEit Transfer Privilege Escalation Vulnerability", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Discovered Internally"}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Progress", "modules": ["SFTP"], "product": "MOVEit Transfer", "versions": [{"status": "affected", "version": "2023.0.0", "lessThan": "2023.0.12", "versionType": "semver"}, {"status": "affected", "version": "2023.1.0", "lessThan": "2023.1.7", "versionType": "semver"}, {"status": "affected", "version": "2024.0.0", "lessThan": "2024.0.3", "versionType": "semver"}], "platforms": ["Windows"], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.progress.com/moveit", "tags": ["product"]}, {"url": "https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-July-2024-CVE-2024-6576", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Privilege Escalation.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.12, from 2023.1.0 before 2023.1.7, from 2024.0.0 before 2024.0.3.", "supportingMedia": [{"type": "text/html", "value": "Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Privilege Escalation.<p>This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.12, from 2023.1.0 before 2023.1.7, from 2024.0.0 before 2024.0.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287 Improper Authentication"}]}], "providerMetadata": {"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware", "dateUpdated": "2024-07-29T13:46:32.409Z"}}}, "cveMetadata": {"cveId": "CVE-2024-6576", "state": "PUBLISHED", "dateUpdated": "2024-08-01T21:41:03.876Z", "dateReserved": "2024-07-08T17:38:23.180Z", "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "datePublished": "2024-07-29T13:46:32.409Z", "assignerShortName": "ProgressSoftware"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "matchCriteriaId": "EDA362C6-190C-47AD-84E1-47B26750AE29", "versionEndExcluding": "2023.0.12", "versionStartIncluding": "2023.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "matchCriteriaId": "D73D7520-9201-4537-8319-363F257A884A", "versionEndExcluding": "2023.1.7", "versionStartIncluding": "2023.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "matchCriteriaId": "F77ADEB4-932A-46F7-8B3F-B6ADFE4417E2", "versionEndExcluding": "2024.0.3", "versionStartIncluding": "2024.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Privilege Escalation.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.12, from 2023.1.0 before 2023.1.7, from 2024.0.0 before 2024.0.3."}, {"lang": "es", "value": " Una vulnerabilidad de autenticaci\u00f3n incorrecta en progreso de MOVEit Transfer (m\u00f3dulo SFTP) puede provocar una escalada de privilegios. Este problema afecta a MOVEit Transfer: desde 2023.0.0 antes de 2023.0.12, desde 2023.1.0 antes de 2023.1.7, desde 2024.0.0 antes de 2024.0.3."}], "id": "CVE-2024-6576", "lastModified": "2025-08-01T20:39:00.850", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.2, "source": "security@progress.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-07-29T14:15:04.190", "references": [{"source": "security@progress.com", "tags": ["Vendor Advisory"], "url": "https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-July-2024-CVE-2024-6576"}, {"source": "security@progress.com", "tags": ["Product"], "url": "https://www.progress.com/moveit"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-July-2024-CVE-2024-6576"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://www.progress.com/moveit"}], "sourceIdentifier": "security@progress.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security@progress.com", "type": "Secondary"}]}