Third MOVEit flaw identified by CISA, patch now


A new security advisory is warning organizations to immediately patch a third critical vulnerability found in the MOVEit file transfer system.

US Cybersecurity and Infrastructure Security Agency (CISA) released the advisory late Thursday.

It’s the third critical flaw found affecting the file transfer platform used by thousands of companies around the globe, and recently exploited by the Cl0p ransomware group.

ADVERTISEMENT

Progress, the American software company that produces and distributes the MOVEit Transfer platform, also posted the warning on its Community home webpage Friday.

The new found flaw is listed in Mitre’s critical vulnerability database as CVE-2023-35708.

The original MOVEit zero-day flaw, CVE-2023-34362 from May 31st, was identified after the Cl0p ransomware gang announced it had exploited the software using SQL injection, breaching hundreds of companies worldwide.

"Progress has discovered a vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment," the warning said about MOVEit's latest bug.

“If you are a MOVEit Transfer customer, it is extremely important that you take immediate action as noted below in order to help protect your MOVEit Transfer environment,” it warned.

MOVEit 2nd critical flaw CVE
June 15 MOVEit advisory, Progress

This is the third patch that has been released to address MOVEit flaws, the second patch was released on June 9th to cover critical vulnerability CVE-2023-35036.

The latest advisory also specified that the patches have been updated to also include fixes for both the June 9th and June 15th vulnerabilities.

ADVERTISEMENT

If the fixes are not applied, Progress warns, “the MOVEit Transfer web application could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database,” where an attacker could modify database content.

This week Cl0p, the Russian-linked ransom gang responsible for the MOveit attacks, began to release its first batch of victim names, also threatening to release data stolen from the companies if a ransom demand was not paid.

Confirmed victims include several US federal agencies, Shell Global, British Airways, Zellis, and the BBC.

Over 24,000 companies use Progress software, most of them located in the US and are part of the IT sector, according to marketing research firm Enlyft.

It’s unclear how many Progress clients may be using the MOVEit Transfer system.