The U.S. Cybersecurity and Infrastructure Security Agency has added a critical vulnerability in Progress Software Corp.’s MOVEit file transfer software to its Known Exploited Vulnerabilities Catalog and reportedly ordered all federal agencies to patch their systems by June 23.

MOVEit is managed file transfer software developed and designed to provide secure and compliant file transfers for sensitive data within and between organizations. MOVEit can automate complex workflows, manage and view all file transfer activities in real time, and ensure reliable and predictable file transfer. It supports secure protocols, including FTPS, HTTPS and SFTP, and offers encryption at rest and in transit.

The vulnerability in the software, tracked as CVE-2023-34362, is being actively exploited by threat actors who have stolen data from several organizations. An unauthenticated, remote attacker can exploit the vulnerability by sending a specially crafted SQL injection to a vulnerable MOVEit Transfer instance.

Successful exploitation gives an attacker access to the underlying MOVEit Transfer instance. Depending on the specific database engine in use, such as MySQL, Microsoft SQL Server, or Azure SQL, the attacker may be able to infer information about the structure and contents of the database.

The vulnerability affects both the on-premises version and cloud versions of MOVEit. Progress Software today released a security advisory on the vulnerability, including details on mitigating the issue.

“For users of the affected software, this is a potentially serious issue and they should follow the vendor’s guidance in mitigation and remediation as quickly as practical,” Mike Parkin, senior technical engineer at cyber risk remediation company Vulcan Cyber Ltd., told SiliconANGLE. “While exploits don’t appear to be widespread so far and there aren’t a huge number of vulnerable systems, it’s always best to be proactive when there are exploits happening in the wild. MOVEit has released patches and compensating controls and indications of compromise for this exploit are easy to spot.”

Craig Jones, vice president of security operations at managed detection and response provider Ontinue Inc., warned that the vulnerability in MOVEit Transfer serves as a stark reminder of the constant threats lurking in the digital landscape.

“The vulnerability at hand, a SQL injection flaw, could lead to escalated privileges and unauthorized access, allowing attackers to steal sensitive data from organizations,” Jones added. “The MOVEit Transfer case bears a striking resemblance to a slew of SQLi attacks happening on file storage and transfer systems, the latest being QNAP devices and a high-profile attack by Clop on Fortra’s GoAnywhere file transfer software, underscoring the potential severity of such vulnerabilities.”

Image: CISA