Cybersecurity Alert - FINRA Notifies Member Firms of MOVEit Software Vulnerability (CVE-2024-5806)

Impact: All Firms

Firms should review this information with any vendors who provide information technology services to the firm.

On June 25, 2024, Progress Software released the MOVEit Transfer Critical Security Alert Bulletin (the Alert Bulletin) for CVE-2024-5806, a newly identified Critical Vulnerability, which was described as an Improper Authentication vulnerability in MOVEit Transfer, Secure File Transfer Protocol (SFTP) module and could lead to Authentication Bypass.

In the Alert Bulletin, Progress Software recommended performing an upgrade to the latest software version.

The Alert Bulletin also described a newly identified vulnerability in a third-party component used in MOVEit Transfer, which elevates the risk of the original issue mentioned above if left unpatched. While the patch distributed by Progress Software on June 11th successfully remediates the issue identified in CVE-2024-5806, this newly disclosed third-party vulnerability introduces new risk. Please work with your internal teams to take the following steps to mitigate the third-party vulnerability:

  • Verify you have blocked public inbound RDP access to MOVEit Transfer server(s); and
  • Limit outbound access to only known trusted endpoints from MOVEit Transfer server(s).

When the third-party vendor releases a fix, Progress Software will make that available to MOVEit Transfer customers.

Past Events:

In June 2023, threat actors exploited a Zero-Day Vulnerability1 associated with MOVEit, a software program developed by IpSwitch, a subsidiary of Progress Software. 

In response, FINRA issued Cybersecurity Alert: FINRA Notifies Member Firms of CISA Advisory (AA23-158A) to all member firms to address the disclosure of the Zero-Day Vulnerability.

In addition to reading the Advisories, FINRA member firms are encouraged to review FINRA Regulatory Notice 22-29 (FINRA Alerts Firms to Ransomware Risks) (December 2022). The Notice provided ransomware guidance for member firms, including key considerations and questions that firms can use to evaluate their cybersecurity programs in light of the continuing ransomware threat. 

Questions related to this Alert or other cybersecurity-related topics can be emailed to the FINRA Cyber and Analytics Unit (CAU). Both the FBI and CISA urge you to promptly report cyber incidents to a local FBI Field Office, the FBI Internet Crime Complaint Center (IC3) at IC3.gov or CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870).

Note: This Alert does not create new legal or regulatory requirements or new interpretations of existing requirements, nor does it relieve members of any existing obligations under federal securities laws and regulations. Members may consider the information in this Alert in developing new, or modifying existing, practices that are reasonably designed to achieve compliance with relevant regulatory obligations based on a member’s size and business model.

If you would like to add or change who receives this email, please update your firm’s Chief Information Security Officer (CISO), Chief Compliance Officer (CCO) and/or Chief Risk Officer (CRO) contacts in FINRA Gateway.

1 The term “Zero-Day” is used when security teams are unaware of their software vulnerability, and they’ve had “0” days to work on a security patch or an update to fix the issue. “Zero-Day” is commonly associated with the terms Vulnerability, Exploit, and Threat. It is important to understand the difference: A Zero-Day Vulnerability is an unknown security vulnerability or software flaw that a threat actor can target with malicious code. (CROWDSTRIKE, What is a Zero-Day Exploit, Kapil Raina - June 10, 2022).