Security News > 2023 > June > New MOVEit Transfer critical flaws found after security audit, patch now
Progress Software warned customers today of newly found critical SQL injection vulnerabilities in its MOVEit Transfer managed file transfer solution that can let attackers steal information from customers' databases.
"An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content," Progress says in an advisory published today.
"All MOVEit Transfer customers must apply the new patch, released on June 9, 2023. The investigation is ongoing, but currently, we have not seen indications that these newly discovered vulnerabilities have been exploited," the company added.
The Clop ransomware gang has claimed responsibility for targeting the CVE-2023-34362 MOVEit Transfer zero-day in a message sent to Bleepingomputer over the weekend, which led to a series of data-theft attacks that have allegedly affected "Hundreds of companies."
Kroll security experts also found evidence that Clop has been looking for ways to exploit the now-patched MOVEit zero-day since 2021, as well as methods to extract data from compromised MOVEit servers since at least April 2022.
Since Clop's MOVEit data theft attacks have been disclosed, affected organizations have slowly started coming forward to acknowledge data breaches and security incidents.
News URL
Related news
- Major security audit of critical FreeBSD components now available (source)
- Progress urges admins to patch critical WhatsUp Gold bugs ASAP (source)
- Two simple give-me-control security bugs found in Optigo network switches used in critical manufacturing (source)
- Week in review: Critical Zimbra RCE vulnerability exploited, Patch Tuesday forecast (source)
- Qualcomm Urges OEMs to Patch Critical DSP and WLAN Flaws Amid Active Exploits (source)
- CISA Warns of Critical Fortinet Flaw as Palo Alto and Cisco Issue Urgent Security Patches (source)
- VMware fixes bad patch for critical vCenter Server RCE flaw (source)
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices (source)
- Cisco Releases Patch for Critical URWB Vulnerability in Industrial Wireless Systems (source)
- HPE Issues Critical Security Patches for Aruba Access Point Vulnerabilities (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-06-02 | CVE-2023-34362 | SQL Injection vulnerability in Progress Moveit Cloud and Moveit Transfer In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. | 9.8 |