Developer Progress warns customers about a new vulnerability in its MOVEit Transfer software. This exploit makes it possible to steal confidential data from customer databases with an SQL injection. The company advises its customers to immediately install the latest security updates.
Progress reports the new vulnerability on its community forum.
Developer: ‘Install security patch as soon as possible’
Employees of the renowned cybersecurity agency Huntress discovered the vulnerability. Using this zero-day exploit, hackers and other unauthenticated attackers can penetrate exposed servers over the Internet and modify or steal customer data.
“An attacker could send a fabricated payload to an endpoint in the MOVEit Transfer application. This, in turn, can compromise the integrity of the contents of MOVEit databases or make the contents available to unauthorized persons,” Progress stated in a recent Security Advisory.
The investigation into the exploit is still ongoing. In the meantime, the developer advises its customers to install the security patch available since Friday, June 9 as soon as possible. According to the software developer, there are currently no indications that the recently discovered vulnerability has been exploited.
Russian hacker group says it has made ‘hundreds’ of victims
It is the second time in a short time that Progress has issued a warning about MOVEit Transfer, a file-sharing application. At the end of May, the company discovered that its software contained a serious vulnerability. This made it possible to steal confidential or privacy-sensitive information from customers. The National Cyber Security Center (NCSC) advised system administrators to install the security update as soon as possible.
The Russian hacker group Clop claims to have abused this zero-day exploit to steal data from ‘hundreds’ of companies and organizations. Last week, airlines British Airways and Aer Lingus, pharmacy chain Boots, the British broadcaster BBC, the government of the Canadian province of Nova Scotia, the British payroll company Zellis and the University of Rochester reported that they were victims of data theft via MOVEit Transfer. Landal GreenParks reported at the end of last week that the personal data of 12,000 holidaymakers may have been obtained through the exploit in the application.
Progress emphasizes that this time it is a different exploit. A CVE number is not available at this time.