Progress Software has released a service pack to fix three newly identified vulnerabilities in its MOVEit Transfer web application, a widely used file-transfer app that has been the target of exploitation attempts by various threat groups for the last few weeks.
The service pack contains patches for three bugs, none of which is among the previously identified vulnerabilities that attackers have targeted in the application. The newly patched bugs (CVE-2023-36932, CVE-2023-36933, CVE-2023-36934) include a critical SQL injection bug and a handful of other less-serious SQL injection flaws. Progress Software is encouraging all of the affected customers to install the service pack as soon as possible. This is especially important given the attention other, known bugs in MOVEit Transfer have attracted from attackers.
The critical vulnerability affects every version of the web app released before 2020.
“In Progress MOVEit Transfer versions released before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), 2023.0.4 (15.0.4), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content,” the advisory says.
In late May, researchers identified a separate vulnerability (CVE-2023-34362) in MOVEit Transfer and found that several separate attack groups were targeting it within a day or two. That vulnerability is similar to the critical SQL injection bug fixed in this new service pack, but researchers quickly discovered that the flaw also could lead to remote code execution. In many attacks against that flaw, threat actors were using it to install webshells for persistence.
In the new advisory published this week, Progress Software did not identify any active exploitation of the new vulnerabilities. But attackers have been targeting the MOVEit Transfer web app for exploitation for more than a month now, so it would not be surprising to see exploitation of these flaws emerge in the next few days now that the details of the bugs are public.
Aside from the newly identified SQL injection vulnerabilities, the other one fixed in the new service pack is a bug that can cause MOVEit Transfer to crash.
“In Progress MOVEit Transfer before 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), it is possible for an attacker to invoke a method that results in an unhandled exception. Triggering this workflow can cause the MOVEit Transfer application to terminate unexpectedly,” the advisory says.
That flaw affects every version released before 2021.