MOVEit Customers Urged to Patch Third Critical Vulnerability

Progress Software is urging MOVEit customers to apply patches to a third critical vulnerability in the file transfer software in less than one month.

Tracked as CVE-2023-35708, the latest vulnerability is described as an SQL injection flaw that could allow an unauthenticated attacker to escalate privileges and access the MOVEit Transfer database.

“An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content,” Progress explains in an advisory.

The vulnerability impacts MOVEit Transfer versions before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3). 

Proof-of-concept (PoC) code targeting the bug was released on June 15, prompting swift response from Progress, which notes that the bug was made public “in a way that did not follow normal industry standards”. 

CVE-2023-35708 is the third critical SQL injection flaw that Progress patches in its MOVEit products in roughly three weeks, after a zero-day vulnerability was disclosed on May 31 and a second critical bug patched a week later.

The first issue, CVE-2023-34362, started being widely exploited in late May, but security researchers found evidence suggesting that exploitation may have started two years ago.

More than 100 organizations have been impacted by attacks targeting the MOVEit zero-day, with the recent campaign attributed to the Cl0p ransomware gang, which has started publicly naming some of the victims.

Known victims to date include the U.S. Department of Energy, Louisiana’s Office of Motor Vehicles, Oregon’s Department of Transportation, the Nova Scotia government, British Airways, the British Broadcasting Company, Aer Lingus, U.K. drugstore chain Boots, University of Rochester, the Illinois Department of Innovation & Technology (DoIT), and the Minnesota Department of Education (MDE).

Victims are in Austria, France, Germany, Luxembourg, the Netherlands, Switzerland, the UK, and the US. Most of the victims are in the US, Malwarebytes notes.

The second issue, CVE-2023-35036, was disclosed on June 9, but does not appear to have been exploited in the wild. Progress says it has no evidence that CVE-2023-35708 has been exploited either, but urges customers to apply the latest patches as soon as possible.

“All MOVEit Transfer customers must take action and apply the patch to address the June 15th CVE-2023-35708 vulnerability discovered in MOVEit Transfer,” the company underlines.

To prevent unauthorized access to the MOVEit Transfer environment, customers should disable HTTP and HTTPS traffic – allowing for localhost access only – apply the available patches (the June 15th patch also resolves the previous vulnerabilities), and then re-enable HTTP and HTTPS traffic.

Progress has released both DLL drop-in patches and full MOVEit Transfer installers to resolve the bugs. Additional instructions on applying the patches can be found in the company’s advisory.

Related: Chrome 114 Update Patches Critical Vulnerability

Related: Fortinet Patches Critical FortiGate SSL VPN Vulnerability

Related: Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions