Security News > 2023 > June > MOVEit Transfer customers warned of new flaw as PoC info surfaces
Progress warned MOVEit Transfer customers to restrict all HTTP access to their environments after info on a new SQL injection vulnerability was shared online today.
"Progress has discovered a vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment," Progress said.
"We have taken HTTPs traffic down for MOVEit Cloud in light of the newly published vulnerability and are asking all MOVEit Transfer customers to immediately take down their HTTP and HTTPs traffic to safeguard their environments while the patch is finalized," it added.
Until security updates are released for affected MOVEit Transfer versions, Progress "Strongly" recommends modifying firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 as a temporary workaround.
While Progress didn't share the location where details on this new SQLi flaw were shared, at least one security researcher has shared information on Twitter on what looks like proof-of-concept exploit code for a new MOVEit Transfer zero-day bug.
CVE-2023-35036 impact all MOVEit Transfer versions and let unauthenticated attackers compromise unpatched and Internet-exposed servers to steal customer information.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-06-12 | CVE-2023-35036 | SQL Injection vulnerability in Progress Moveit Transfer In Progress MOVEit Transfer before 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), and 2023.0.2 (15.0.2), SQL injection vulnerabilities have been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. | 9.1 |