A third-party audit reveals new MOVEit vulnerabilities, for which Progress Software has issued patches.




Two developers collaborate on a project as they review code on a display in their workspace.

The developer of the recently exploited MOVEit Transfer application issued new updates after a third-party security audit identified additional SQL injection vulnerabilities. Customers are advised to deploy the new patches as soon as possible since attackers are clearly interested in exploiting this and other enterprise secure file transfer solutions.

“In addition to the ongoing investigation into vulnerability (CVE-2023-34362), we have partnered with third-party cybersecurity experts to conduct further detailed code reviews as an added layer of protection for our customers,” Progress Software said in a blog post. ” As part of these code reviews, cybersecurity firm Huntress has helped us to uncover additional vulnerabilities that could potentially be used by a bad actor to stage an exploit.”

The new vulnerabilities are tracked under the CVE-2023-35036 identifier and are similar to the previous zero-day one that attackers have been exploiting since May. The flaws could allow unauthenticated attackers to gain access to the MOVEit Transfer database. “An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content,” the developers said in their new advisory.

Previous MOVEit attacks

Attackers exploited the previous vulnerability to insert new administrative accounts into the MOVEit database and then exfiltrate sensitive files information through the application itself by using a web shell. MOVEit transfer is an enterprise web-based platform for managed and secure file transfer that has a cloud version as well as a locally hosted version. The company deployed the patches to its cloud service already, but the privately hosted versions need to be patched individually.

The attacker group behind the Clop ransomware took responsibility for the attacks exploiting the May CVE-2023-34362 vulnerability with the goal of extorting money from companies in exchange of deleting the stolen data. This cybercrime gang has exploited vulnerabilities in other managed file transfer solutions in the past, including Accellion File Transfer Appliance (FTA) devices in 2020 and 2021 and the Fortra/Linoma GoAnywhere MFT servers in early 2023. Security researchers found evidence that the attackers experimented with MOVEit Transfer exploits as early as July 2021.

Progress Software maintains active support for multiple major versions of MOVEit Transfer and all of them are affected: MOVEit Transfer 2023.0.x (15.0.x), MOVEit Transfer 2022.1.x (14.1.x), MOVEit Transfer 2022.0.x (14.0.x), MOVEit Transfer 2021.1.x (13.1.x), MOVEit Transfer 2021.0.x (13.0.x) and MOVEit Transfer 2020.1.x (12.1). Versions 2020.0.x (12.0) and older are also affected but are no longer supported, so customers are urged to upgrade to a supported version.

MOVEit patch options

The patched versions as of June 9 that address all known vulnerabilities are: 2023.0.2, 2022.1.6, 2022.0.5, 2021.1.5 and 2021.0.7. A special patch is available for version 2020.1.x (12.1).

Customers have two options for deploying the patches: either with the full installer, which will update the whole installation, or by copying a fixed DLL file. The DLL drop-in method is faster, but it requires the deployed application to already be updated to the previous version in the series. For example, the fixed DLL for the June 9 flaws will only work if customers have previously upgraded their installations with the patches for the May vulnerability. It’s also important for the old version of the DLL to be removed from the system and not be kept as a backup anywhere since it’s vulnerable if attackers can reach it.

Customers who haven’t applied the patch for the May vulnerability yet should directly upgrade to the latest version, which fixes the flaws announced on June 9 as well.

Lucian Constantin is a senior writer at CSO, covering information security, privacy, and data protection.

Copyright © 2023 IDG Communications, Inc.