Progress Software revealed another vulnerability in its MOVEit Transfer application. The disclosure of this vulnerability comes shortly after Progress Software announced a different set of SQL injection vulnerabilities that could be used to gain access to the database content of the application.
 

Diving into details

This new flaw, currently awaiting a CVE identifier, can be exploited for elevated privileges and unauthorized access to the environment.

Although Progress did not disclose the source of the information regarding the new SQL injection flaw in MOVEit Transfer, a security researcher has taken to Twitter to share details, including what appears to be proof-of-concept exploit code for this newly discovered zero-day vulnerability.

The second bug

On Friday, Progress warned customers of a set of critical SQL injection vulnerabilities in MOVEit Transfer. 
  • Collectively tracked as CVE-2023-35036, these vulnerabilities impact all versions of MOVEit Transfer and allow unauthorized attackers to compromise internet-exposed servers, potentially modifying or extracting customer information.

Abused by Cl0p ransomware group

The Cl0p ransomware gang has claimed responsibility for launching multiple attacks involving the first MOVEit Transfer vulnerability. 
  • According to a representative from the group, it began exploiting the vulnerability on May 27. 
  • Following the deadline of June 14, the Cl0p ransomware group publicly disclosed the names of over two dozen organizations affected by the attacks.
  • Among the targeted entities are Shell, as well as organizations in various sectors such as finance, healthcare, manufacturing, IT, pharmaceuticals, and education. 
  • The majority of victims are banks and financial institutions based in the U.S., followed by healthcare organizations.

The remedy

A patch for the latest vulnerability is currently being tested and will be released soon, according to the company. To safeguard their environments, MOVEit Transfer customers are advised to disable HTTP and HTTPs traffic until the patch is finalized. As a temporary measure, modifying firewall rules to block traffic on ports 80 and 443 is recommended. While web UI login will be unavailable, file transfers can still be conducted using SFTP and FTP/s protocols without any interruptions.
Cyware Publisher

Publisher

Cyware