Progress Software, the company behind the popular MOVEit Transfer protocol, has released security updates to address new vulnerabilities found in the application during a security audit.

The newly discovered flaws, which have yet to receive a CVE identifier, are said to be distinct from the previously reported vulnerability (CVE-2023-34362) shared on May 31, 2023.

The new bugs are described as an SQL injection issue, which stems from insufficient sanitization of user-supplied data in the MOVEit Transfer web application. The vulnerability can be exploited by a remote threat actor to execute arbitrary SQL commands within the application database with the help of a specially crafted request to the affected application.

The flaws, which impact all versions of MOVEit Transfer, have been addressed in versions 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), and 2023.0.2 (15.0.2). All MOVEit Cloud instances have been fully patched.

“The investigation is ongoing, but currently, we have not seen indications that these newly discovered vulnerabilities have been exploited,” the vendor said in a press release.

The news comes following multiple reports of security breaches involving the exploitation of the CVE-2023-34362 vulnerability in the MOVEit Transfer solution.

The widespread hacking campaign, orchestrated by the notorious Clop ransomware gang is said to have affected more than a hundred companies, including high-profile British firms like a payroll provider Zellis, British Airways, the pharmacy chain Boots and the BBC, as well as other organizations such as the government of the Canadian province of Nova Scotia, the University of Rochester, Irish airline Aer Lingus, and UK communications regulator Ofcom.

According to cybersecurity firm Kroll, the Clop gang was likely experimenting with ways to exploit the MOVEit vulnerability as far back as 2021.

Last week, Clop posted a notice on their dark web data leak website telling their victims to email them before their set deadline of 14 June, or have their data leaked.