As ransomware gangs and other threat actors continue to target the critical MOVEit Transfer vulnerability disclosed last month, the maker of the application have discovered another separate vulnerability and are urging customers to apply the new patch immediately.
The newer bug (CVE-2023-35708) is not quite as serious as the older one (CVE-2023-34262) and is a privilege escalation issue that affects all versions of the MOVEit Transfer file transfer app. Progress Software, the maker of the app, disclosed the bug on Thursday, just as United States government officials said that some federal agencies had been compromised by attacks on the older MOVEit Transfer flaw.
“Progress has discovered a vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment,” the new advisory says.
“All MOVEit Transfer customers must take action and apply the patch to address the June 15th CVE-2023-35708 vulnerability discovered in MOVEit Transfer.”
For organizations that have applied the fix for the earlier vulnerability, Progress is recommending that customers immediately disable all HTTP and HTTPS traffic to their MOVEit Transfer instances and then install the updates to fix the new bug.
It is especially important for affected organizations to install the updates as soon as possible given the attention that high-level attackers are focusing on MOVEit Transfer already. The older vulnerability has become a target for many threat actors, most notably the Cl0p ransomware group, which has claimed a number of victims in the last couple of weeks. On Thursday, CISA Director Jen Easterly said that some federal agencies had been hit by attacks on MOVEit Transfer recently.
“Right now we're focused specifically on those federal agencies that may be impacted and we're working hand in hand with them to be able to mitigate that risk,” Easterly told MSNBC.