Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

MOVEit Customers Urged to Patch Third Critical Vulnerability

A critical vulnerability (CVE-2023-35708) in MOVEit software could allow unauthenticated attackers to access database content.

Progress Software is urging MOVEit customers to apply patches to a third critical vulnerability in the file transfer software in less than one month.

Tracked as CVE-2023-35708, the latest vulnerability is described as an SQL injection flaw that could allow an unauthenticated attacker to escalate privileges and access the MOVEit Transfer database.

“An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content,” Progress explains in an advisory.

The vulnerability impacts MOVEit Transfer versions before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3). 

Proof-of-concept (PoC) code targeting the bug was released on June 15, prompting swift response from Progress, which notes that the bug was made public “in a way that did not follow normal industry standards”. 

CVE-2023-35708 is the third critical SQL injection flaw that Progress patches in its MOVEit products in roughly three weeks, after a zero-day vulnerability was disclosed on May 31 and a second critical bug patched a week later.

The first issue, CVE-2023-34362, started being widely exploited in late May, but security researchers found evidence suggesting that exploitation may have started two years ago.

More than 100 organizations have been impacted by attacks targeting the MOVEit zero-day, with the recent campaign attributed to the Cl0p ransomware gang, which has started publicly naming some of the victims.

Advertisement. Scroll to continue reading.

Known victims to date include the U.S. Department of Energy, Louisiana’s Office of Motor Vehicles, Oregon’s Department of Transportation, the Nova Scotia government, British Airways, the British Broadcasting Company, Aer Lingus, U.K. drugstore chain Boots, University of Rochester, the Illinois Department of Innovation & Technology (DoIT), and the Minnesota Department of Education (MDE).

Victims are in Austria, France, Germany, Luxembourg, the Netherlands, Switzerland, the UK, and the US. Most of the victims are in the US, Malwarebytes notes.

The second issue, CVE-2023-35036, was disclosed on June 9, but does not appear to have been exploited in the wild. Progress says it has no evidence that CVE-2023-35708 has been exploited either, but urges customers to apply the latest patches as soon as possible.

“All MOVEit Transfer customers must take action and apply the patch to address the June 15th CVE-2023-35708 vulnerability discovered in MOVEit Transfer,” the company underlines.

To prevent unauthorized access to the MOVEit Transfer environment, customers should disable HTTP and HTTPS traffic – allowing for localhost access only – apply the available patches (the June 15th patch also resolves the previous vulnerabilities), and then re-enable HTTP and HTTPS traffic.

Progress has released both DLL drop-in patches and full MOVEit Transfer installers to resolve the bugs. Additional instructions on applying the patches can be found in the company’s advisory.

Related: Chrome 114 Update Patches Critical Vulnerability

Related: Fortinet Patches Critical FortiGate SSL VPN Vulnerability

Related: Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

PAM provider Keeper Security has appointed Shane Barney as its Chief Information Security Officer.

SpecterOps has appointed Tim Bender as CFO, Pat Sheridan as CRO, and Bryce Hein as CMO.

CISA has officially announced the appointment of Madhu Gottumukkala as its new deputy director.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.