Software developer Progress has warned its customers about a new critical vulnerability in MOVEit Transfer, which could lead to the theft of databases containing sensitive information. According to a security researcher, a similar flaw was exploited in late May, targeting hundreds of organizations worldwide and resulting in the theft of data belonging to 17.5 million individuals.
MOVEit Transfer is a file exchange application widely used by organizations to share confidential information internally. In the May attack, cybercriminals behind the Clop ransomware leveraged a zero-day vulnerability in MOVEit Transfer to steal various databases containing personal data. These criminals have threatened to publish the stolen data on their websites if victims refuse to pay.
Following the attack, multiple security researchers have started investigating MOVEit Transfer, discovering several critical vulnerabilities. The latest critical vulnerability, identified as CVE-2023-36934, is an SQL injection flaw that allows an unauthorized attacker to modify and steal the contents of the MOVEit database.
Progress has released updates to address the issue and urges customers to install them. Additionally, the company has announced plans to release a Service Pack every two months, incorporating all the fixes and updates from the previous period. According to security researcher Brett Callow, the Clop group successfully targeted 218 organizations in late May, compromising data belonging to 17.5 million individuals.