Security News > 2023 > June > Third MOVEit bug fixed a day after PoC exploit made public

Progress Software on Friday issued a fix for a third critical bug in its MOVEit file transfer suite, a vulnerability that had just been disclosed the day earlier.

A researcher who goes by the handle MCKSys Argentina confirmed to The Register that a June 16 MOVEit patch for CVE-2023-35708 mitigated the researcher's PoC exploit code, which was shared in screenshot form.

It's worth repeating that information on how to abuse the SQL injection flaw was made public a day before the software vendor had fixed the issue, so it's possible miscreants used that info to attack MOVEit installations before an update could be developed and applied.

"OK, don't tell anybody, but this attack works on current version of Progress MOVEit Transfer: 2023.0.2," as MCKSys Argentina tweeted on Thursday, including a screenshot of an exploit for the bug.

Progress disclosed the first MOVEit flaw on May 31, and issued a patch the next day for CVE-2023-34362.

"There is no indication at this time that cyber attackers who breached MOVEit have sold, used, shared or released the OMV data obtained from the MOVEit attack," the Louisiana agency said.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/06/16/third_moveit_bug_fixed/