Connect with us

Hi, what are you looking for?



MOVEit Customers Urged to Patch Third Critical Vulnerability

A critical vulnerability (CVE-2023-35708) in MOVEit software could allow unauthenticated attackers to access database content.

API Security

Progress Software is urging MOVEit customers to apply patches to a third critical vulnerability in the file transfer software in less than one month.

Tracked as CVE-2023-35708, the latest vulnerability is described as an SQL injection flaw that could allow an unauthenticated attacker to escalate privileges and access the MOVEit Transfer database.

“An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content,” Progress explains in an advisory.

The vulnerability impacts MOVEit Transfer versions before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3). 

Proof-of-concept (PoC) code targeting the bug was released on June 15, prompting swift response from Progress, which notes that the bug was made public “in a way that did not follow normal industry standards”. 

CVE-2023-35708 is the third critical SQL injection flaw that Progress patches in its MOVEit products in roughly three weeks, after a zero-day vulnerability was disclosed on May 31 and a second critical bug patched a week later.

The first issue, CVE-2023-34362, started being widely exploited in late May, but security researchers found evidence suggesting that exploitation may have started two years ago.

Advertisement. Scroll to continue reading.

More than 100 organizations have been impacted by attacks targeting the MOVEit zero-day, with the recent campaign attributed to the Cl0p ransomware gang, which has started publicly naming some of the victims.

Known victims to date include the U.S. Department of Energy, Louisiana’s Office of Motor Vehicles, Oregon’s Department of Transportation, the Nova Scotia government, British Airways, the British Broadcasting Company, Aer Lingus, U.K. drugstore chain Boots, University of Rochester, the Illinois Department of Innovation & Technology (DoIT), and the Minnesota Department of Education (MDE).

Victims are in Austria, France, Germany, Luxembourg, the Netherlands, Switzerland, the UK, and the US. Most of the victims are in the US, Malwarebytes notes.

The second issue, CVE-2023-35036, was disclosed on June 9, but does not appear to have been exploited in the wild. Progress says it has no evidence that CVE-2023-35708 has been exploited either, but urges customers to apply the latest patches as soon as possible.

“All MOVEit Transfer customers must take action and apply the patch to address the June 15th CVE-2023-35708 vulnerability discovered in MOVEit Transfer,” the company underlines.

To prevent unauthorized access to the MOVEit Transfer environment, customers should disable HTTP and HTTPS traffic – allowing for localhost access only – apply the available patches (the June 15th patch also resolves the previous vulnerabilities), and then re-enable HTTP and HTTPS traffic.

Progress has released both DLL drop-in patches and full MOVEit Transfer installers to resolve the bugs. Additional instructions on applying the patches can be found in the company’s advisory.

Related: Chrome 114 Update Patches Critical Vulnerability

Related: Fortinet Patches Critical FortiGate SSL VPN Vulnerability

Related: Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.