Progress Discloses More MOVEit Vulnerabilities, Releases New Patch
The vulnerability is separate from the previously disclosed critical flaw, and ‘all MOVEit Transfer customers must apply the new patch,’ Progress said Friday.
Progress said Friday that MOVEit Transfer customers must now deploy a new patch after more vulnerabilities were uncovered in the managed file transfer tool.
The new vulnerabilities are separate from the critical zero-day flaw that Progress patched on May 31, which affects MOVEit Transfer and MOVEit Cloud. The previously disclosed vulnerability (tracked at CVE-2023-34362) has been exploited by the Clop ransomware group, according to security researchers and the group itself.
On Friday, Progress disclosed the new MOVEit Transfer vulnerabilities—which have not yet been assigned CVE numbers—in an update to its advisory about the original MOVEit vulnerability.
Code reviews of MOVEit Transfer, which were performed with the help of cybersecurity vendor Huntress, uncovered “additional vulnerabilities that could potentially be used by a bad actor to stage an exploit,” Progress said in its updated advisory.
“Currently, we have not seen indications that these newly discovered vulnerabilities have been exploited,” the company said.
Progress released a new patch to address the additional vulnerabilities Friday, and “all MOVEit Transfer customers must apply the new patch,” the company said.
‘Wide Exploitation’ Of Original Flaw
The previously discovered MOVEit vulnerability “could lead to escalated privileges and potential unauthorized access to the environment,” Progress had said in its original disclosure.
Mandiant, a prominent incident response firm owned by Google Cloud, said in a post that it has “observed wide exploitation of [the flaw] in the MOVEit Transfer secure managed file transfer software for subsequent data theft.”
The company said it has seen exploit activity utilizing the vulnerability as far back as May 27, “resulting in deployment of web shells and data theft.”
“In some instances, data theft has occurred within minutes of the deployment of web shells,” Mandiant said in the post.