New high-risk vulnerabilities discovered in MOVEit Transfer

New high-risk vulnerabilities discovered in MOVEit Transfer

Progress Software, the company behind the popular MOVEit Transfer protocol, has released security updates to address new vulnerabilities found in the application during a security audit.

The newly discovered flaws, which have yet to receive a CVE identifier, are said to be distinct from the previously reported vulnerability (CVE-2023-34362) shared on May 31, 2023.

The new bugs are described as an SQL injection issue, which stems from insufficient sanitization of user-supplied data in the MOVEit Transfer web application. The vulnerability can be exploited by a remote threat actor to execute arbitrary SQL commands within the application database with the help of a specially crafted request to the affected application.

The flaws, which impact all versions of MOVEit Transfer, have been addressed in versions 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), and 2023.0.2 (15.0.2). All MOVEit Cloud instances have been fully patched.

“The investigation is ongoing, but currently, we have not seen indications that these newly discovered vulnerabilities have been exploited,” the vendor said in a press release.

The news comes following multiple reports of security breaches involving the exploitation of the CVE-2023-34362 vulnerability in the MOVEit Transfer solution.

The widespread hacking campaign, orchestrated by the notorious Clop ransomware gang is said to have affected more than a hundred companies, including high-profile British firms like a payroll provider Zellis, British Airways, the pharmacy chain Boots and the BBC, as well as other organizations such as the government of the Canadian province of Nova Scotia, the University of Rochester, Irish airline Aer Lingus, and UK communications regulator Ofcom.

According to cybersecurity firm Kroll, the Clop gang was likely experimenting with ways to exploit the MOVEit vulnerability as far back as 2021.

Last week, Clop posted a notice on their dark web data leak website telling their victims to email them before their set deadline of 14 June, or have their data leaked.


Back to the list

Latest Posts

Cyber Security Week in Review: April 25, 2025

Cyber Security Week in Review: April 25, 2025

In brief: A SAP NetWeaver zero-day bug exploited in the wild, DslogdRAT exploits a recent Ivanti flaw, and more.
25 April 2025
ToyMaker: Financially-motivated IAB that sells access to ransomware gangs

ToyMaker: Financially-motivated IAB that sells access to ransomware gangs

ToyMaker is believed to be behind the custom backdoor dubbed ‘LAGTOY.’
24 April 2025
DragonForce and Anubis ransomware ops use novel models to attract affiliates and boost profits

DragonForce and Anubis ransomware ops use novel models to attract affiliates and boost profits

DragonForce introduced a distributed affiliate branding model.
23 April 2025