Third MOVEit Transfer Vulnerability Disclosed by Progress Software

Yet another MOVEit Transfer vulnerability, CVE-2023-35708, was discovered this week by Progress Software, the third that the company has disclosed, alongside CVE-2023-34362 and CVE-2023-35036.

The issue itself, detailed in an advisory released June 15 by the company, is another SQL injection vulnerability that could potentially allow unauthenticated attackers to gain access into MOVEit’s database. Should attackers present a payload into the MOVEit Transfer application endpoint, they could ultimately modify the database content. Progress Software is encouraging MOVEit Transfer customers to take immediate action to help harden their MOVEit Transfer environments, noting that it is “extremely important” that users act as quickly as possible. 

“As we continue to investigate the issue related to MOVEit Cloud and MOVEit Transfer that we previously reported, an independent source has disclosed a new vulnerability that could be exploited by a bad actor,” according to a press statement.

The release of the advisory detailing the latest vulnerability comes on the heels of CISA disclosing an event in which federal agencies were impacted by the transfer tool at the hands of the Cl0p ransomware gang — part of the ongoing glut of attacks using what was once a zero-day bug in the platform (the first issue patched). Cyberattacks involving the use of the MOVEit Transfer program have now affected several US government agencies, alongside many other companies and organizations, who are now dealing with the loss of stolen information, disrupted systems, and sometimes even the demands of ransom payments.

Though there haven’t been any indications that threat actors have yet exploited the new vulnerability, MOVEit has asserted that it is communicating with customers to protect and create safer environments.