Table of Contents
Urgent Patching Required for Third Critical Vulnerability in MOVEit Software: Progress Software is issuing a warning to MOVEit customers regarding a third critical vulnerability found in the file transfer software, urging urgent patching required to mitigate the risks associated with the vulnerability in the MOVEit software.
This comes shortly after the disclosure of a zero-day vulnerability and another critical bug in recent weeks.
Key Takeaways in Urgent Patching Required for Third Critical Vulnerability in MOVEit Software:
- Immediate Action Required: MOVEit customers must promptly apply the patch to address the critical CVE-2023-35708 vulnerability and mitigate potential risks to their systems.
- Heightened Risk Landscape: The successive discovery of multiple critical vulnerabilities emphasizes the importance of robust security measures and proactive patch management to combat evolving threats.
- Impact and Reach of Attacks: The significant number of impacted organizations and the public exposure of victims highlight the severity and global reach of the MOVEit zero-day campaign.
Vulnerability Details
The latest vulnerability, identified as CVE-2023-35708, is classified as an SQL injection flaw that could potentially allow an unauthorized attacker to escalate privileges and gain access to the MOVEit Transfer database. Progress Software explains that a crafted payload could be submitted to an application endpoint, leading to the modification and disclosure of sensitive database content.
Affected Versions
The vulnerability impacts MOVEit Transfer versions released before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3).
Swift Response and PoC Release
Proof-of-concept (PoC) code targeting the CVE-2023-35708 vulnerability was made public on June 15, prompting Progress Software to swiftly address the issue. The company notes that the bug’s disclosure did not adhere to standard industry practices.
Series of Critical Vulnerabilities
This marks the third critical SQL injection flaw that Progress Software has patched in its MOVEit products in a span of approximately three weeks. The first vulnerability, CVE-2023-34362, was actively exploited since late May, with evidence suggesting exploitation may have occurred as early as two years ago. The second issue, CVE-2023-35036, disclosed on June 9, has not been observed in real-world attacks.
Impacted Organizations and Publicized Victims
Over 100 organizations have fallen victim to attacks targeting the MOVEit zero-day vulnerability. The recent campaign has been attributed to the Cl0p ransomware gang, which has publicly named some victims. Among the known victims are prominent entities such as the U.S. Department of Energy, Louisiana’s Office of Motor Vehicles, British Airways, the University of Rochester, and more. Victims are located across Austria, France, Germany, Luxembourg, the Netherlands, Switzerland, the UK, and the US, with a significant concentration in the US.
Conclusion
Progress Software’s prompt response to the series of critical vulnerabilities in MOVEit Transfer underscores its commitment to customer security. With the disclosure of the third flaw, urgency in patching is essential to safeguard systems against potential exploitation.
Organizations should follow the provided instructions, apply the available patches, and take necessary precautions to prevent unauthorized access to the MOVEit Transfer environment.