Brand-New Security Bugs Affect All MOVEit Transfer Versions

Progress has issued a second patch for additional SQL flaws that are distinct from the zero-day that the Cl0p ransomware gang is exploiting.

2 Min Read
File Transfer - exchange of data files between computer systems, text concept button on keyboard
Source: dizain via Shuttertock

Just days after Progress Software patched a widely exploited zero-day vulnerability in its MOVEit Transfer app, the company has issued a second patch to address additional SQL Injection vulnerabilities in it that a security vendor uncovered during a code review this week.

The vulnerabilities are present in all MOVEit Transfer versions and could allow an unauthenticated attacker to gain access to the MOVEit Transfer database and to modify or steal data in it. The new flaws have not been assigned a CVE yet but will get one soon.

"The investigation is ongoing, but currently, we have not seen indications that these newly discovered vulnerabilities have been exploited," Progress said.

In a June 9 advisory, Progress urged customers to install the new patch immediately, citing the potential for threat actors to exploit the flaws in more attacks. "These newly discovered vulnerabilities are distinct from the previously reported vulnerability shared on May 31, 2023," Progress said. "All MOVEit Transfer customers must apply the new patch, released on June 9. 2023."

Progress described Huntress as discovering the vulnerabilities as part of a code review.

Additional SQL Vulnerability as Exploits Continue

Progress Software's new patch comes amid reports of the Cl0p ransomware group widely exploiting a separate, zero-day flaw (CVE-2023-34362) in MOVEit Transfer. The threat group discovered the flaw about two years ago and has been exploiting it to steal data from thousands of organizations worldwide. Known victims include the BBC, British Airways, and the government of Nova Scotia. The US Cybersecurity and Infrastructure Security Agency (CISA) has warned organizations of the potential for widespread impact going forward.

Researchers from Huntress discovered the vulnerabilities during their analysis of the MOVEit Transfer app. They had earlier provided a detailed analysis of how Cl0p threat actors had exploited the vulnerability in its worldwide extortion campaign.

"Huntress uncovered different attack vectors following our proof-of-concept recreation of the original exploit, and evaluating the effectiveness of the first patch," a Huntress spokesperson says. "These are distinct flaws not addressed in the initial patch, and we responsibly disclosed these to the Progress team, encouraging this secondary patch release."

Currently, Huntress has not observed any new exploitation surrounding this new CVE, he adds — though that could quickly change.

Additional File Transfer CVE: Patch Now

According to Progress, organizations that have already applied the company's patch for the original zero-day bug from May 31, 2023, can straight away apply the patch for new vulnerabilities as outlined in its remediation advice. Organizations that have not yet patched against the first flaw should instead follow alternate remediation and patching steps that Progress has outlined.

Progress has automatically patched MOVEit Cloud with the latest update as well, but "we encourage customers to review their audit logs for signs of unexpected or unusual file downloads, and continue to review access logs and systems logging, together with our systems protection software logs."

About the Author(s)

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights