The Cybersecurity and Infrastructure Security Agency (CISA) has warned about three new vulnerabilities in Progress Software’s MOVEit software. A cybercriminal could exploit some of these vulnerabilities to obtain sensitive information.
In the advisory, CISA encouraged users to review Progress' MOVEit Transfer article and apply the updates.
The MOVEit file transfer software has been making headlines over the last two months. Earlier vulnerabilities in the software have been used by the Cl0p ransomware gang to make hundreds of victims, and new victim names are published on the Cl0p leak site every single day.
Since the alarm was first raised, the software has been under scrutiny and more vulnerabilities have since been found. This, unfortunately, is not unexpected, and no doubt many software packages would reveal vulnerabilities with so many researchers looking at them.
The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in this update are:
CVE-2023-36934 (Critical): In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content.
CVE-2023-36932 (High severity): In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content.
CVE-2023-36933 (High severity): In Progress MOVEit Transfer before 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), it is possible for an attacker to invoke a method that results in an unhandled exception. Triggering this workflow can cause the MOVEit Transfer application to terminate unexpectedly.
Before implementing the fix it is important to make sure you are on MOVEit Transfer 2020.1.6 (12.1.6) or later version of 2020.1 (12.1) and follow the instructions in the MOVEit article.
We don't just report on vulnerabilities–we identify them, and prioritize action.
Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.