Security News > 2023 > June > New MOVEit Transfer critical flaws found after security audit, patch now
Progress Software warned customers today of newly found critical SQL injection vulnerabilities in its MOVEit Transfer managed file transfer solution that can let attackers steal information from customers' databases.
"An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content," Progress says in an advisory published today.
"All MOVEit Transfer customers must apply the new patch, released on June 9, 2023. The investigation is ongoing, but currently, we have not seen indications that these newly discovered vulnerabilities have been exploited," the company added.
The Clop ransomware gang has claimed responsibility for targeting the CVE-2023-34362 MOVEit Transfer zero-day in a message sent to Bleepingomputer over the weekend, which led to a series of data-theft attacks that have allegedly affected "Hundreds of companies."
Kroll security experts also found evidence that Clop has been looking for ways to exploit the now-patched MOVEit zero-day since 2021, as well as methods to extract data from compromised MOVEit servers since at least April 2022.
Since Clop's MOVEit data theft attacks have been disclosed, affected organizations have slowly started coming forward to acknowledge data breaches and security incidents.
News URL
Related news
- Major security audit of critical FreeBSD components now available (source)
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices (source)
- Cisco Releases Patch for Critical URWB Vulnerability in Industrial Wireless Systems (source)
- HPE Issues Critical Security Patches for Aruba Access Point Vulnerabilities (source)
- Patch Tuesday: Four Critical Vulnerabilities Paved Over (source)
- Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble (source)
- CISA Urges Agencies to Patch Critical "Array Networks" Flaw Amid Active Attacks (source)
- Exploit released for critical WhatsUp Gold RCE flaw, patch now (source)
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)
- Ivanti Issues Critical Security Updates for CSA and Connect Secure Vulnerabilities (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-06-02 | CVE-2023-34362 | SQL Injection vulnerability in Progress Moveit Cloud and Moveit Transfer In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. | 9.8 |