Security News > 2023 > June > Third MOVEit bug fixed a day after PoC exploit made public

Third MOVEit bug fixed a day after PoC exploit made public
2023-06-16 23:05

Progress Software on Friday issued a fix for a third critical bug in its MOVEit file transfer suite, a vulnerability that had just been disclosed the day earlier.

A researcher who goes by the handle MCKSys Argentina confirmed to The Register that a June 16 MOVEit patch for CVE-2023-35708 mitigated the researcher's PoC exploit code, which was shared in screenshot form.

It's worth repeating that information on how to abuse the SQL injection flaw was made public a day before the software vendor had fixed the issue, so it's possible miscreants used that info to attack MOVEit installations before an update could be developed and applied.

"OK, don't tell anybody, but this attack works on current version of Progress MOVEit Transfer: 2023.0.2," as MCKSys Argentina tweeted on Thursday, including a screenshot of an exploit for the bug.

Progress disclosed the first MOVEit flaw on May 31, and issued a patch the next day for CVE-2023-34362.

"There is no indication at this time that cyber attackers who breached MOVEit have sold, used, shared or released the OMV data obtained from the MOVEit attack," the Louisiana agency said.


News URL

https://go.theregister.com/feed/www.theregister.com/2023/06/16/third_moveit_bug_fixed/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-06-16 CVE-2023-35708 SQL Injection vulnerability in Progress Moveit Transfer
In Progress MOVEit Transfer before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database.
network
low complexity
progress CWE-89
critical
9.8
2023-06-02 CVE-2023-34362 SQL Injection vulnerability in Progress Moveit Cloud and Moveit Transfer
In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database.
network
low complexity
progress CWE-89
critical
9.8