Progress Software has issued a second SQL injection vulnerability patch that widely exploited zero-day in its MOVEit Transfer app.
The vulnerabilities are present in all MOVEit Transfer versions and could allow an unauthenticated attacker to gain access to the MOVEit Transfer database and to modify or steal data in it. The new flaws have not been assigned a CVE yet but will get one soon.
On June 9, Progress urged customers to install the new patch immediately, citing the potential for threat actors to exploit the flaws in more attacks. “These newly discovered vulnerabilities are distinct from the previously reported vulnerability shared on May 31, 2023,” Progress said. “All MOVEit Transfer customers must apply the new patch, released on June 9. 2023.”
Progress Software’s new patch comes amid reports of the Cl0p ransomware group widely exploiting a separate, zero-day flaw (CVE-2023-34362) in MOVEit Transfer. The threat group discovered the flaw about two years ago and has been exploiting it to steal data from thousands of organizations worldwide.
Researchers discovered the vulnerabilities during their analysis of the MOVEit Transfer app. They had earlier provided a detailed analysis of how Cl0p threat actors had exploited the vulnerability in its worldwide extortion campaign.
Huntress has not observed any new exploitation surrounding this new CVE, though that could quickly change.
Oganizations that have already applied the company’s patch for the original zero-day bug from May 31, 2023, can straight away apply the patch for new vulnerabilities as outlined in its remediation advice.
Organizations that have not yet patched against the first flaw should instead follow alternate remediation and patching steps that Progress has outlined.