New MOVEit Transfer critical flaws found after security audit

Illustration of a laptop with a magnifying glass exposing a beetle on-screen
(Image credit: Shutterstock / Kanoktuch)

Progress Software, the company behind the MOVEit secure managed file transfer (MFT) tool, has warned users it has found a separate vulnerability that can also be used to steal their sensitive data with malware, and urged them to apply the newly released patch - immediately.

Earlier this month, it was revealed that MOVEit carried a high severity flaw that allowed threat actors to exfiltrate data from an undisclosed number of users, highly likely in the hundreds. 

The vulnerability is tracked as CVE-2023-34362. Soon after news broke, a threat actor known as Clop, a hacking group allegedly affiliated with the Russian government, assumed responsibility for the attack, saying data samples will soon appear on its data leak site, and that the negotiations with affected clients are ongoing.

Code audit

MOVEit is a file transfer tool used by enterprises, as well as small and medium-sized businesses (SMB), to share sensitive data, such as personally identifiable information, banking data, health information, and similar, in a secure manner. That helps businesses prevent incidents that can lead to identity theft, wire fraud, and more.

In response to the incident, Progress conducted a detailed code review with the help of the cybersecurity firm Huntress, which is when the new bug was discovered. It’s described as an SQL injection flaw that can enable data exfiltration and theft. All versions of MOVEit are affected, it was added. 

"An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content," Progress said. "All MOVEit Transfer customers must apply the new patch, released on June 9, 2023. The investigation is ongoing, but currently, we have not seen indications that these newly discovered vulnerabilities have been exploited," the company added.

MOVEit Cloud has already been patched, the company added.

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.