Vulnerability Management, Ransomware

Progress Software issues new critical fix for MOVEit Transfer app

Transfer files data system relocation with internet cloud technology concept. Person hand using laptop computer waiting for transfer file process with loading bar icon on virtual screen.

(Adobe Stock)

Soon after Progress Software disclosed a critical zero-day vulnerability in its MOVEit Transfer file transfer application and urged users to patch the SQL injection vulnerability immediately, a new critical vulnerability has been found and a second patch has been issued. Progress warns "all versions of MOVEit Transfer are affected by this vulnerability."

Progress partnered with a third-party cybersecurity firm to investigate the zero-day disclosed on May 31, CVE-2023-34362. During the investigation, Huntress uncovered additional vulnerabilities that could be exploited by bad actors that are separate from the first SQL injection. Progress said on Friday the common vulnerabilities and exposures (CVE) designations are pending CVE authority MITRE reserve status processing.

The multiple new SQL injection vulnerabilities could allow an unauthenticated attacker to gain access to the MOVEit Transfer database, who could then submit a crafted payload to a MOVEit Transfer application endpoint and result in modification and disclosure of MOVEit database content.

"An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content. All versions of MOVEit Transfer are affected by this vulnerability. Patches for this vulnerability are available for supported versions and are listed in the Recommended Remediation section," Progress wrote in a security bulletin.

Progress said it hasn’t seen indications that the newly discovered vulnerabilities were exploited. Customers are urged to apply both patches.

The Clop ransomware group, which Microsoft has attributed with exploiting the zero-day in the MOVEit Transfer app, is believed to have spent nearly two years experimenting with the vulnerability before striking in mass exploitation events, according to Kroll researchers.

As previously reported, the vulnerability disclosed in May could lead to escalated privileges and potential unauthorized access to millions of IT environments.

Known victims of the exploit include the BBC, British Airways, UK drugstore chain Boots, the provincial government of Nova Scotia and payroll service provider Zellis.

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Related

5G Hackathons – Casey Ellis – BTS #28

Casey recently was involved in an event that brought hackers and 5G technology together, tune-in to learn about the results and how we can use bug bounty programs to improve the security of "things". This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them!

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.