Just days after Progress Software patched a widely exploited zero-day vulnerability in its MOVEit Transfer app, the company has issued a second patch to address additional SQL Injection vulnerabilities in it that a security vendor uncovered during a code review this week.
The vulnerabilities are present in all MOVEit Transfer versions and could allow an unauthenticated attacker to gain access to the MOVEit Transfer database and to modify or steal data in it. The new flaws have not been assigned a CVE yet but will get one soon.
"The investigation is ongoing, but currently, we have not seen indications that these newly discovered vulnerabilities have been exploited," Progress said.
In a June 9 advisory, Progress urged customers to install the new patch immediately, citing the potential for threat actors to exploit the flaws in more attacks. "These newly discovered vulnerabilities are distinct from the previously reported vulnerability shared on May 31, 2023," Progress said. "All MOVEit Transfer customers must apply the new patch, released on June 9. 2023."
Progress described Huntress as discovering the vulnerabilities as part of a code review.
Additional SQL Vulnerability as Exploits Continue
Progress Software's new patch comes amid reports of the Cl0p ransomware group widely exploiting a separate, zero-day flaw (CVE-2023-34362) in MOVEit Transfer. The threat group discovered the flaw about two years ago and has been exploiting it to steal data from thousands of organizations worldwide. Known victims include the BBC, British Airways, and the government of Nova Scotia. The US Cybersecurity and Infrastructure Security Agency (CISA) has warned organizations of the potential for widespread impact going forward.
Researchers from Huntress discovered the vulnerabilities during their analysis of the MOVEit Transfer app. They had earlier provided a detailed analysis of how Cl0p threat actors had exploited the vulnerability in its worldwide extortion campaign.
"Huntress uncovered different attack vectors following our proof-of-concept recreation of the original exploit, and evaluating the effectiveness of the first patch," a Huntress spokesperson says. "These are distinct flaws not addressed in the initial patch, and we responsibly disclosed these to the Progress team, encouraging this secondary patch release."
Currently, Huntress has not observed any new exploitation surrounding this new CVE, he adds — though that could quickly change.
Additional File Transfer CVE: Patch Now
According to Progress, organizations that have already applied the company's patch for the original zero-day bug from May 31, 2023, can straight away apply the patch for new vulnerabilities as outlined in its remediation advice. Organizations that have not yet patched against the first flaw should instead follow alternate remediation and patching steps that Progress has outlined.
Progress has automatically patched MOVEit Cloud with the latest update as well, but "we encourage customers to review their audit logs for signs of unexpected or unusual file downloads, and continue to review access logs and systems logging, together with our systems protection software logs."