New high-risk vulnerabilities discovered in MOVEit Transfer

New high-risk vulnerabilities discovered in MOVEit Transfer

Progress Software, the company behind the popular MOVEit Transfer protocol, has released security updates to address new vulnerabilities found in the application during a security audit.

The newly discovered flaws, which have yet to receive a CVE identifier, are said to be distinct from the previously reported vulnerability (CVE-2023-34362) shared on May 31, 2023.

The new bugs are described as an SQL injection issue, which stems from insufficient sanitization of user-supplied data in the MOVEit Transfer web application. The vulnerability can be exploited by a remote threat actor to execute arbitrary SQL commands within the application database with the help of a specially crafted request to the affected application.

The flaws, which impact all versions of MOVEit Transfer, have been addressed in versions 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), and 2023.0.2 (15.0.2). All MOVEit Cloud instances have been fully patched.

“The investigation is ongoing, but currently, we have not seen indications that these newly discovered vulnerabilities have been exploited,” the vendor said in a press release.

The news comes following multiple reports of security breaches involving the exploitation of the CVE-2023-34362 vulnerability in the MOVEit Transfer solution.

The widespread hacking campaign, orchestrated by the notorious Clop ransomware gang is said to have affected more than a hundred companies, including high-profile British firms like a payroll provider Zellis, British Airways, the pharmacy chain Boots and the BBC, as well as other organizations such as the government of the Canadian province of Nova Scotia, the University of Rochester, Irish airline Aer Lingus, and UK communications regulator Ofcom.

According to cybersecurity firm Kroll, the Clop gang was likely experimenting with ways to exploit the MOVEit vulnerability as far back as 2021.

Last week, Clop posted a notice on their dark web data leak website telling their victims to email them before their set deadline of 14 June, or have their data leaked.


Back to the list

Latest Posts

Police crackdown shuts down major Kidflix platform hosting child sexual abuse material

Police crackdown shuts down major Kidflix platform hosting child sexual abuse material

As a result of the operation, 79 arrests were made, 1,393 suspects identified, and over 3,000 electronic devices seized.
2 April 2025
Ongoing campaign targets exposed PostgreSQL instances to deploy crypto miners

Ongoing campaign targets exposed PostgreSQL instances to deploy crypto miners

The campaign could involve over 1,500 compromised systems.
2 April 2025
DPRK IT worker threat expands beyond the US, focuses on Europe

DPRK IT worker threat expands beyond the US, focuses on Europe

The schemes come with new tactics, including extortion campaigns and corporate virtualized infrastructure compromises.
2 April 2025