Progress Software has fixed a third SQL injection vulnerability (CVE-2023-35708) in its MOVEit Transfer web application, which could lead to escalated privileges and unauthorized access. The Cl0p cyber extortion gang exploited a previous vulnerability (CVE-2023-34362) to grab enterprise data and has started disclosing the names of victim organizations, including Shell, banks, media companies, and universities. Progress Software has urged customers to update their MOVEit Transfer installations to the latest versions to fix the vulnerability.
Progress Software has disclosed a third vulnerability in its MOVEit Transfer application, which is yet to be assigned a CVE identifier, that could lead to escalated privileges and potential unauthorized access to the environment. The Cl0p ransomware gang has been deploying extortion tactics against affected companies, and the vulnerability has been exploited in data theft attacks. Progress Software is urging its customers to disable all HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 to safeguard their environments while a patch is being prepared to address the weakness.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch their systems by June 23 to fix an actively exploited SQL injection vulnerability in Progress MOVEit Transfer, a managed file transfer solution. The flaw allows remote attackers to access the database and execute arbitrary code. Threat actors have been exploiting the vulnerability since at least May 27, with mass exploitation and data theft occurring. Private companies are also advised to prioritize securing their systems against the flaw. Progress advises all customers to patch their MOVEit Transfer instances or disable HTTP and HTTPS traffic to remote the attack surface.
