MOVEit Transfer Faces Another Critical Data-Theft Bug

Yet another critical SQL injection vulnerability has been disclosed and patched in Progress Software's MOVEit Transfer software — the fourth such flaw revealed in the space of a month.

The security bug (CVE-2023-36934) is distinct from the former zero-day flaw that's being exploited with resounding success by the Cl0p ransomware gang. But like that bug, it could allow unauthenticated cyberattackers to access MOVEit Transfer databases, and from there execute malware, manipulate files, or exfiltrate information.

"An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content," according to the Progress advisory on the bug.

The flaw hasn't been exploited in the wild so far, according to the advisory — but given its severity, users are urged to patch it as soon as possible, along with two high-severity vulnerabilities (CVE-2023-36932 and CVE-2023-36933) disclosed at the same time.

The bugs affect MOVEit Transfer versions 12.1.10 and earlier, 13.0.8 and earlier, 13.1.6 and earlier, 14.0.6 and earlier, 14.1.7 and earlier, and 15.0.3 and earlier.

The other SQL vulnerabilities revealed since early June are CVE-2023-35708 and CVE-2023-35036, as well as CVE-2023-34362, which is Cl0p's target and was discovered Memorial Day weekend.

Speaking of the Cl0p campaign, the extortion gang is galloping on, claiming 200+ victims so far, including government agencies. The blast radius of the campaign has been widened by compromised third-party vendors exposing their downstream customers.

Progress said this week that it plans to release MOVEit product updates every two months from now on.