Contents:
Researchers discovered new critical SQL injection vulnerabilities in the MOVEit Transfer managed file transfer (MFT) solution. The flaws could enable threat actors to exfiltrate information from customers’ databases. In addition, they impact all MOVEit Transfer versions.
An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content
As a result, a new patch was released on June 9, 2023, and customers are urged to apply it as soon as possible.
All MOVEit Transfer customers must apply the new patch, released on June 9, 2023. The investigation is ongoing, but currently, we have not seen indications that these newly discovered vulnerabilities have been exploited.
Additionally, BleepingComputer recently published a list of MOVEit Transfer versions that have a patch available for the newly discovered flaws:
Affected Version | Fixed Version (full installer) | Documentation |
MOVEit Transfer 2023.0.x (15.0.x) | MOVEit Transfer 2023.0.2 | MOVEit 2023 Upgrade Documentation |
MOVEit Transfer 2022.1.x (14.1.x) | MOVEit Transfer 2022.1.6 | MOVEit 2022 Upgrade Documentation |
MOVEit Transfer 2022.0.x (14.0.x) | MOVEit Transfer 2022.0.5 | |
MOVEit Transfer 2021.1.x (13.1.x) | MOVEit Transfer 2021.1.5 | MOVEit 2021 Upgrade Documentation |
MOVEit Transfer 2021.0.x (13.0.x) | MOVEit Transfer 2021.0.7 | |
MOVEit Transfer 2020.1.x (12.1) | Special Patch Available | See KB Vulnerability (May 2023) Fix for MOVEit Transfer 2020.1 (12.1) |
MOVEit Transfer 2020.0.x (12.0) or older | MUST upgrade to a supported version | See MOVEit Transfer Upgrade and Migration Guide |
How Were the New Vulnerabilities Discovered?
The recent discovery of the Clop ransomware gang exploiting the CVE-2023-34362 in data theft attacks lead to detailed code reviewing. For the moment, there is no evidence that the newly revealed vulnerabilities are being exploited in the wild. According to Progress Software, by leveraging the new vulnerabilities threat actors could submit a crafted payload to a MOVEit Transfer application endpoint. This could lead to altering and exposing the MOVEit database content.
Patches became available starting June 9th and security specialists recommend customers to apply them.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.