New MOVEit Transfer Vulnerabilities Include ‘Critical’ Flaw

As the fallout continues from exploits of an earlier critical vulnerability in the MOVEit file transfer tool, Progress released fixes for three more flaws in the software, including one new critical-severity vulnerability.

Progress has released patches for three additional vulnerabilities in MOVEit Transfer, including a new critical flaw, even as the victim list from exploits of an earlier critical vulnerability in the tool continues to grow.

The new critical-severity vulnerability (tracked at CVE-2023-36934) “could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database,” Progress said in its advisory.

[Related: 8 Tech And IT Companies Targeted In The MOVEit Attacks]

The issue was discovered by a Trend Micro researcher working with the company’s Zero Day Initiative. The other two newest MOVEit Transfer vulnerabilities (CVE-2023-36932 and CVE-2023-36933) have a “high” severity rating, and were discovered via the HackerOne platform.

Progress said it “highly recommends” deploying the updated versions of MOVEit Transfer with fixes for the vulnerabilities.

The company noted that organizations must first apply the May 31 patch for the original critical vulnerability (CVE-2023-34362) before upgrading to the latest versions of the MOVEit Transfer software.

Widespread Attacks

While there was no mention of the latest vulnerabilities having seen exploitation, the original critical vulnerability, which was reported by Progress on May 31, has spawned a massive cyberattack campaign. There are now more than 220 known victims of the MOVEit attacks, with more than 17.5 million individuals impacted, according to tallies by Emsisoft threat analyst Brett Callow.

Among the latest companies to confirm having been affected is telecom networking equipment vendor Ciena, which told CRN Thursday that a “limited amount of data may have been impacted.”

The company provided the statement after its name appeared on the dark web site of the cybercriminal group Clop. The Russian-speaking gang has been demanding extortion payments from alleged breach victims in exchange for not posting stolen data on its site.

Not all companies that have appeared on Clop’s dark web site have confirmed that they were actually affected in the MOVEit cyberattack campaign, however. Iron Bow Technologies, a major IT solution provider whose name was posted on Clop’s site last week, said in a statement provided to CRN that it “was not impacted.”

Managed file transfer tools, such as MOVEit Transfer, enable the ingestion of large volumes of data that can then be moved from point to point, making them an appealing target for data thieves.

The original critical MOVEit vulnerability can enable escalation of administrative privileges and unauthorized access, Progress has said.