Connect with us

Hi, what are you looking for?



New MOVEit Vulnerabilities Found as More Zero-Day Attack Victims Come Forward

Researchers discover new MOVEit vulnerabilities related to the zero-day, just as more organizations hit by the attack are coming forward.

MOVEit zero-day exploited

Progress Software has released another round of patches for its MOVEit products after researchers discovered new vulnerabilities while analyzing the recent zero-day. The news comes just as more organizations hit by the zero-day attack have come forward.

The zero-day affecting the MOVEit Transfer and Cloud managed file transfer (MFT) software, tracked as CVE-2023-34362 and described as an SQL injection issue, has been exploited to steal data from organizations that have been using the product. The flaw started being widely exploited in late May, but new evidence suggests that cybercriminals have been testing it since as early as 2021

The attacks were conducted by a cybercrime group known for the Cl0p ransomware operation. The hackers claim to have hit hundreds of organizations, giving them until June 14 to get in touch in order to prevent data stolen from their systems from getting leaked. 

In a new advisory published on Friday, Progress informed customers that it has released patches for new vulnerabilities discovered by cybersecurity firm Huntress, whose researchers have been monitoring attacks involving exploitation of CVE-2023-34362.

The vendor said the new flaws “could potentially be used by a bad actor to stage an exploit”, but noted that currently there is no evidence that they have been exploited in the wild. Both MOVEit Transfer and MOVEit Cloud products are again impacted.  

Huntress has described its findings as “further attack vectors” discovered during its analysis.

CVE-2023-35036 has been assigned to the new vulnerabilities, which have also been described as SQL injection bugs that can be exploited by an unauthenticated attacker to access MOVEit databases.   

Advertisement. Scroll to continue reading.

At least 100 organizations have been reportedly hit by attacks exploiting the MOVEit zero-day, but the number of victims could be much higher considering that there are as many as 3,000 internet-exposed systems. 

One of the first victims to come forward was UK-based payroll and HR company Zellis. Several major companies using Zellis services were hit, including the airlines British Airways and Aer Lingus, the BBC, and pharmacy chain Boots. 

The Canadian province of Nova Scotia was also among the first to announce that personal information has been breached as a result of the MOVEit hack. The University of Rochester also disclosed a breach in early June.

The latest victims to come forward are government organizations: the Illinois Department of Innovation & Technology (DoIT) and the Minnesota Department of Education (MDE).

Both organizations became aware of the attacks on May 31 and they both took immediate action to secure their servers. 

“DoIT’s investigation is ongoing and the full extent of this incident is still being determined, but DoIT believes a large number of individuals could be impacted,” DoIT said. 

The Minnesota Education Department has determined that 24 files were accessed by hackers. These files contained the information of roughly 95,000 students placed in foster care, including names, dates of birth and county of placement. 

Dozens of other students also had information exposed, including name, date of birth, address, parent name, high school and college transcript information, and the last four digits of the their social security number. 

“To date there have been no ransom demands nor is MDE aware that the data has been shared or posted online. Additionally, no virus or other malware was uploaded to MDE’s hardware systems,” the organization said. 

The Cl0p ransomware operators claim on their website that they will not attempt to extort money from impacted government organizations, including cities and law enforcement agencies. 

“We erased all your data. You do not need to contact us. We have no interest to expose such information,” the hackers wrote. 

American networking solutions provider Extreme Networks also announced being impacted by the MOVEit attack last week. The company is in the process of determining whether customer information has been compromised.

Related: Barracuda Zero-Day Exploited to Deliver Malware for Months Before Discovery

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.