Security News > 2023 > June > New MOVEit Transfer critical flaws found after security audit, patch now
Progress Software warned customers today of newly found critical SQL injection vulnerabilities in its MOVEit Transfer managed file transfer solution that can let attackers steal information from customers' databases.
"An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content," Progress says in an advisory published today.
"All MOVEit Transfer customers must apply the new patch, released on June 9, 2023. The investigation is ongoing, but currently, we have not seen indications that these newly discovered vulnerabilities have been exploited," the company added.
The Clop ransomware gang has claimed responsibility for targeting the CVE-2023-34362 MOVEit Transfer zero-day in a message sent to Bleepingomputer over the weekend, which led to a series of data-theft attacks that have allegedly affected "Hundreds of companies."
Kroll security experts also found evidence that Clop has been looking for ways to exploit the now-patched MOVEit zero-day since 2021, as well as methods to extract data from compromised MOVEit servers since at least April 2022.
Since Clop's MOVEit data theft attacks have been disclosed, affected organizations have slowly started coming forward to acknowledge data breaches and security incidents.
News URL
Related news
- Critical Security Flaw Found in Popular LayerSlider WordPress Plugin (source)
- Microsoft April 2024 Patch Tuesday fixes 150 security flaws, 67 RCEs (source)
- Fortinet Rolls Out Critical Security Patches for FortiClientLinux Vulnerability (source)
- 73% of SME security pros missed or ignored critical alerts (source)
- 10 Critical Endpoint Security Tips You Should Know (source)
- DHS establishes AI Safety and Security Board to protect critical infrastructure (source)
- U.S. Government Releases New AI Security Guidelines for Critical Infrastructure (source)
- Patch up – 4 critical bugs in ArubaOS lead to remote code execution (source)
- Critical infrastructure security will stay poor until everyone pulls together (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-06-02 | CVE-2023-34362 | SQL Injection vulnerability in Progress Moveit Cloud and Moveit Transfer In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. | 9.8 |