Progress Software, the digital transformation solutions provider, has had to issue another patch to its MOVEit Transfer app due to additional SQL Injection vulnerabilities that were uncovered during a code review by a security vendor this week. This comes just days after Progress Software issued a patch to fix a widely exploited zero-day vulnerability in its MOVEit Transfer app.
The new vulnerabilities are present in all versions of MOVEit Transfer and could allow an unauthenticated attacker to access the MOVEit Transfer database and to modify or steal data from it. Although these flaws haven’t been assigned a CVE yet, they will receive one soon.
Progress Software advised its customers to install the latest patch immediately as the potential exists for threat actors to exploit these new flaws in further attacks. The company stated that these newly discovered vulnerabilities are distinct from the previously reported vulnerability that was shared on May 31, 2023. All MOVEit Transfer customers must apply the new patch, which was released on June 9, 2023.
Although the investigation is ongoing, Progress Software has not seen any signs that these newly discovered vulnerabilities have been exploited yet. Huntress was responsible for discovering the vulnerabilities as part of the code review.
The new patch follows reports that the Cl0p ransomware group has been exploiting a separate, zero-day flaw (CVE-2023-34362) in MOVEit Transfer. This threat group had discovered this flaw around two years ago and has been exploiting it to steal data from thousands of organizations globally, with victims including the BBC, British Airways, and the government of Nova Scotia. The US Cybersecurity and Infrastructure Security Agency (CISA) has warned organizations about the potential for widespread impact going forward.
Researchers from Huntress discovered these latest vulnerabilities during their analysis of the MOVEit Transfer app. They had earlier provided a detailed analysis of how the Cl0p threat actors had exploited the vulnerability in their worldwide extortion campaign. The spokesperson for Huntress reported, “Huntress uncovered different attack vectors following our proof-of-concept recreation of the original exploit and evaluating the effectiveness of the first patch. These are distinct flaws not addressed in the initial patch, and we responsibly disclosed these to the Progress team, encouraging this secondary patch release.”
Currently, Huntress has not observed any new exploitation surrounding this new CVE. However, that could quickly change, warns the spokesperson.
Progress advises that organizations that have already applied the company’s patch for the original zero-day bug from May 31, 2023, can apply the latest patch for new vulnerabilities straight away. For those who have not yet patched against this first flaw, Progress advises following alternate remediation and patching steps as outlined in their remediation advice.
Progress Software has automatically patched MOVEit Cloud with the latest update. However, the company encourages its customers to review their audit logs for any signs of unexpected or unusual file downloads and continue to monitor access logs and systems logging along with their systems protection software logs.
In conclusion, it’s essential to update and patch all software regularly to prevent threat actors from exploiting vulnerabilities and stealing important data. Progress Software’s quick response in releasing patches is commendable, and it highlights the importance of continuous monitoring and vulnerability testing of all software systems.