Progress Software Issues New Critical Fix For MOVEit Transfer App
Soon after Progress Software disclosed a critical zero-day vulnerability in its MOVEit Transfer file transfer application and urged users to patch the SQL injection vulnerability immediately, a new critical vulnerability has been found and a second patch has been issued. Progress warns “all versions of MOVEit Transfer are affected by this vulnerability.”
Progress partnered with a third-party cybersecurity firm to investigate the zero-day disclosed on May 31, CVE-2023-34362. During the investigation, Huntress uncovered additional vulnerabilities that could be exploited by bad actors that are separate from the first SQL injection. Progress said on Friday the common vulnerabilities and exposures (CVE) designations are pending CVE authority MITRE reserve status processing.
The multiple new SQL injection vulnerabilities could allow an unauthenticated attacker to gain access to the MOVEit Transfer database, who could then submit a crafted payload to a MOVEit Transfer application endpoint and result in modification and disclosure of MOVEit database content.
“An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content. All versions of MOVEit Transfer are affected by this vulnerability. Patches for this vulnerability are available for supported versions and are listed in the Recommended Remediation section,” Progress wrote in a security bulletin.
Progress said it hasn’t seen indications that the newly discovered vulnerabilities were exploited. Customers are urged to apply both patches.
The Clop ransomware group, which Microsoft has attributed with exploiting the zero-day in the MOVEit Transfer app, is believed to have spent nearly two years experimenting with the vulnerability before striking in mass exploitation events, according to Kroll researchers.
As previously reported, the vulnerability disclosed in May could lead to escalated privileges and potential unauthorized access to millions of IT environments.
Known victims of the exploit include the BBC, British Airways, UK drugstore chain Boots, the provincial government of Nova Scotia and payroll service provider Zellis.
READ MORE HERE