Cyber Security Threat Summary:
On Friday, Progress Software released security fixes to address several SQL injection vulnerabilities impacting its file transfer application, MOVEit. Although the company has yet to assign individual CVEs for the flaws, successful exploitation could enable an un-authenticated attacker to gain unauthorized access to the MOVEit Transfer database.

"An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content,” stated the company in its advisory.

The flaws were uncovered by cybersecurity firm Huntress as part of a code review and impact all versions of MOVEit Transfer. They have been patched in MOVEit Transfer versions 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), and 2023.0.2 (15.0.2).

Security Officer Comments:
The development comes after Progress Software addressed another critical SQL injection flaw (CVE-2023-34362) in its MOVEit Transfer web application, that was exploited by Clop ransomware in attacks in the wild. As of writing, Progress Software has yet to find any evidence of active exploitation of the latest flaws. However given that Clop ransomware was observed exploiting CVE-2023-34362 to steal data from MOVEit Transfer databases, these new SQL injection flaws could be abused in a similar fashion.

Suggested Correction(s):
Customers running on vulnerable versions of the software should ensure that they update to the latest versions as soon as possible to prevent potential attacks. For more information on patching, please refer to the company’s advisory down below:

https://community.progress.com/s/ar...bility-CVE-Pending-Reserve-Status-June-9-2023

Link(s):
https://thehackernews.com/2023/06/new-critical-moveit-transfer-sql.html