MOVEit Transfer developer patches more critical flaws after security audit

MOVEit Transfer developer patches more critical flaws after security audit

A third-party audit reveals new MOVEit vulnerabilities, for which Progress Software has issued patches.

Credit: Dreamstime

The developer of the recently exploited MOVEit Transfer application issued new updates after a third-party security audit identified additional SQL injection vulnerabilities. Customers are advised to deploy the new patches as soon as possible since attackers are clearly interested in exploiting this and other enterprise secure file transfer solutions.

"In addition to the ongoing investigation into vulnerability (CVE-2023-34362), we have partnered with third-party cybersecurity experts to conduct further detailed code reviews as an added layer of protection for our customers," Progress Software said in a blog post. " As part of these code reviews, cybersecurity firm Huntress has helped us to uncover additional vulnerabilities that could potentially be used by a bad actor to stage an exploit."

The new vulnerabilities are tracked under the CVE-2023-35036 identifier and are similar to the previous zero-day one that attackers have been exploiting since May. The flaws could allow unauthenticated attackers to gain access to the MOVEit Transfer database.

"An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content," the developers said in their new advisory.

Previous MOVEit attacks

Attackers exploited the previous vulnerability to insert new administrative accounts into the MOVEit database and then exfiltrate sensitive files information through the application itself by using a web shell. MOVEit transfer is an enterprise web-based platform for managed and secure file transfer that has a cloud version as well as a locally hosted version. The company deployed the patches to its cloud service already, but the privately hosted versions need to be patched individually.

The attacker group behind the Clop ransomware took responsibility for the attacks exploiting the May CVE-2023-34362 vulnerability with the goal of extorting money from companies in exchange of deleting the stolen data.

This cybercrime gang has exploited vulnerabilities in other managed file transfer solutions in the past, including Accellion File Transfer Appliance (FTA) devices in 2020 and 2021 and the Fortra/Linoma GoAnywhere MFT servers in early 2023. Security researchers found evidence that the attackers experimented with MOVEit Transfer exploits as early as July 2021.

Progress Software maintains active support for multiple major versions of MOVEit Transfer and all of them are affected: MOVEit Transfer 2023.0.x (15.0.x), MOVEit Transfer 2022.1.x (14.1.x), MOVEit Transfer 2022.0.x (14.0.x), MOVEit Transfer 2021.1.x (13.1.x), MOVEit Transfer 2021.0.x (13.0.x) and MOVEit Transfer 2020.1.x (12.1). Versions 2020.0.x (12.0) and older are also affected but are no longer supported, so customers are urged to upgrade to a supported version.

MOVEit patch options

The patched versions as of June 9 that address all known vulnerabilities are: 2023.0.2, 2022.1.6, 2022.0.5, 2021.1.5 and 2021.0.7. A special patch is available for version 2020.1.x (12.1).

Customers have two options for deploying the patches: either with the full installer, which will update the whole installation, or by copying a fixed DLL file. The DLL drop-in method is faster, but it requires the deployed application to already be updated to the previous version in the series.

For example, the fixed DLL for the June 9 flaws will only work if customers have previously upgraded their installations with the patches for the May vulnerability. It's also important for the old version of the DLL to be removed from the system and not be kept as a backup anywhere since it's vulnerable if attackers can reach it.

Customers who haven't applied the patch for the May vulnerability yet should directly upgrade to the latest version, which fixes the flaws announced on June 9 as well.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Malware and Vulnerabilities


EDGE 2024

Register your interest now for EDGE 2024!



How MSPs can capitalise on integrating AI into existing services

How MSPs can capitalise on integrating AI into existing services

​Given the pace of change, scale of digitalisation and evolution of generative AI, partners must get ahead of the trends to capture the best use of innovative AI solutions to develop new service opportunities. For MSPs, integrating AI capabilities into existing service portfolios can unlock enhancements in key areas including managed hosting, cloud computing and data centre management. This exclusive Reseller News roundtable in association with rhipe, a Crayon company and VMware, focused on how partners can integrate generative AI solutions into existing service offerings and unlocking new revenue streams.

How MSPs can capitalise on integrating AI into existing services
Access4 holds inaugural A/NZ Annual Conference

Access4 holds inaugural A/NZ Annual Conference

​Access4 held its inaugural Annual Conference in Port Douglass, Queensland, for Australia and New Zealand from 9-11 October, hosting partners from across the region with presentations on Access4 product updates, its 2023 Partner of the Year awards and more.

Access4 holds inaugural A/NZ Annual Conference
Show Comments