Yet another MOVEit Transfer vulnerability, CVE-2023-35708, was discovered this week by Progress Software, the third that the company has disclosed, alongside CVE-2023-34362 and CVE-2023-35036.
The issue itself, detailed in an advisory released June 15 by the company, is another SQL injection vulnerability that could potentially allow unauthenticated attackers to gain access into MOVEit’s database. Should attackers present a payload into the MOVEit Transfer application endpoint, they could ultimately modify the database content. Progress Software is encouraging MOVEit Transfer customers to take immediate action to help harden their MOVEit Transfer environments, noting that it is “extremely important” that users act as quickly as possible.
“As we continue to investigate the issue related to MOVEit Cloud and MOVEit Transfer that we previously reported, an independent source has disclosed a new vulnerability that could be exploited by a bad actor,” according to a press statement.
Government Agencies Under Cl0P Attack
The release of the advisory detailing the latest vulnerability comes on the heels of CISA disclosing that federal agencies were impacted by the transfer tool at the hands of the Cl0p ransomware gang — part of the ongoing glut of attacks using what was once a zero-day bug in the platform (the first issue patched). In a statement to CNN, Eric Goldstein, CISA’s executive assistant director for cybersecurity, said that CISA “is providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications.”
Two Department of Energy victims have been named: 1) Oak Ridge Associated Universities, a not-for-profit research center, and 2) Waste Isolation Pilot Plant – a contractor which disposes atomic energy waste.
Cyberattacks involving the use of the MOVEit Transfer program have now affected several US government agencies, alongside many other companies and organizations, who are now dealing with the loss of stolen information, disrupted systems, and sometimes even the demands of ransom payments. The victim count could reach into the hundreds.
Though there haven’t been any indications that threat actors have yet exploited the new vulnerability, MOVEit has asserted that it is communicating with customers to protect and create safer environments.