Progress Patches Critical MOVEit Automation Authentication Bypass

Progress Software has released urgent updates for MOVEit Automation (formerly Central) that address two security flaws, the most severe of which is a critical authentication bypass vulnerability. Tracked as CVE‑2024‑XXXXX, the bug affects versions prior to 2024.1.0 and can allow an unauthenticated attacker to impersonate legitimate users by sending specially crafted HTTP requests to the application’s API. The flaw stems from insufficient verification of JWT signatures and a missing validation of the token’s issuer claim, enabling attackers to forge authentication tokens without knowing the original credentials.

Technical analysis shows the vulnerability resides in the /api/v1/auth endpoint, where the server fails to enforce proper token expiration checks and permits reuse of expired tokens. By crafting a JWT with a forged subject (sub) claim and setting a future expiration date, an attacker can obtain a valid session token. The same weakness also opens the door to session fixation attacks, allowing the adversary to hijack an existing user session. The second patched flaw, a moderate‑severity information‑disclosure issue (CVE‑2024‑YYYY), lets authenticated users read sensitive configuration files via a path‑traversal vector, potentially exposing API keys and internal settings.

Successful exploitation of the authentication bypass can grant an attacker full administrative control over MOVEit Automation, enabling them to alter workflows, exfiltrate data, and move laterally into connected systems. Progress has shipped version 2024.1.0, which remediates both vulnerabilities. Security teams are urged to apply the patch immediately, audit user accounts for signs of unauthorized activity, and review API access logs for anomalous requests that might indicate token forgery.

This update follows the wave of critical MOVEit Transfer vulnerabilities that were leveraged in high‑profile ransomware campaigns earlier this year, underscoring the ongoing risk to file‑transfer platforms. In addition to patching, organizations should enforce least‑privilege access, enable comprehensive audit logging, and monitor for indicators of compromise such as unexpected API calls with forged tokens or irregular admin sessions.