Security News > 2023 > June > New MOVEit Transfer critical flaws found after security audit, patch now
Progress Software warned customers today of newly found critical SQL injection vulnerabilities in its MOVEit Transfer managed file transfer solution that can let attackers steal information from customers' databases.
"An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content," Progress says in an advisory published today.
"All MOVEit Transfer customers must apply the new patch, released on June 9, 2023. The investigation is ongoing, but currently, we have not seen indications that these newly discovered vulnerabilities have been exploited," the company added.
The Clop ransomware gang has claimed responsibility for targeting the CVE-2023-34362 MOVEit Transfer zero-day in a message sent to Bleepingomputer over the weekend, which led to a series of data-theft attacks that have allegedly affected "Hundreds of companies."
Kroll security experts also found evidence that Clop has been looking for ways to exploit the now-patched MOVEit zero-day since 2021, as well as methods to extract data from compromised MOVEit servers since at least April 2022.
Since Clop's MOVEit data theft attacks have been disclosed, affected organizations have slowly started coming forward to acknowledge data breaches and security incidents.
News URL
Related news
- CERT-UA warns against “security audit” requests via AnyDesk (source)
- CERT-UA Warns of Cyber Scams Using Fake AnyDesk Requests for Fraudulent Security Audits (source)
- Exploit released for critical WhatsUp Gold RCE flaw, patch now (source)
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)
- Ivanti Issues Critical Security Updates for CSA and Connect Secure Vulnerabilities (source)
- Critical security hole in Apache Struts under exploit (source)
- Vanir: Open-source security patch validation for Android (source)
- BeyondTrust Issues Urgent Patch for Critical Vulnerability in PRA and RS Products (source)
- Patch Alert: Critical Apache Struts Flaw Found, Exploitation Attempts Detected (source)
- Critical SQL Injection Vulnerability in Apache Traffic Control Rated 9.9 CVSS — Patch Now (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-06-02 | CVE-2023-34362 | SQL Injection vulnerability in Progress Moveit Cloud and Moveit Transfer In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. | 9.8 |