Quickly after Progress Software program disclosed a crucial zero-day vulnerability in its MOVEit Switch file switch software and urged customers to patch the SQL injection vulnerability instantly, a brand new crucial vulnerability has been discovered and a second patch has been issued. Progress warns “all variations of MOVEit Switch are affected by this vulnerability.”
Progress partnered with a third-party cybersecurity agency to analyze the zero-day disclosed on Could 31, CVE-2023-34362. Throughout the investigation, Huntress uncovered extra vulnerabilities that might be exploited by unhealthy actors which are separate from the primary SQL injection. Progress stated on Friday the widespread vulnerabilities and exposures (CVE) designations are pending CVE authority MITRE reserve standing processing.
The a number of new SQL injection vulnerabilities might enable an unauthenticated attacker to achieve entry to the MOVEit Switch database, who might then submit a crafted payload to a MOVEit Switch software endpoint and end in modification and disclosure of MOVEit database content material.
“An attacker might submit a crafted payload to a MOVEit Switch software endpoint which might end in modification and disclosure of MOVEit database content material. All variations of MOVEit Switch are affected by this vulnerability. Patches for this vulnerability can be found for supported variations and are listed within the Beneficial Remediation part,” Progress wrote in a safety bulletin.
Progress stated it hasn’t seen indications that the newly found vulnerabilities have been exploited. Clients are urged to use each patches.
The Clop ransomware group, which Microsoft has attributed with exploiting the zero-day within the MOVEit Switch app, is believed to have spent practically two years experimenting with the vulnerability earlier than placing in mass exploitation occasions, in response to Kroll researchers.
As beforehand reported, the vulnerability disclosed in Could might result in escalated privileges and potential unauthorized entry to hundreds of thousands of IT environments.
Identified victims of the exploit embody the BBC, British Airways, UK drugstore chain Boots, the provincial authorities of Nova Scotia and payroll service supplier Zellis.