Progress Software’s ongoing MOVEit saga continued late last week, with the company moving to patch another security vulnerability in its managed file transfer software.
Advising that it had patched an SQLi bug designated CVE-2023-35708, Progress Software said the party that found the bug “did not follow normal industry standards”.
“Because it is common across the industry that reported vulnerabilities lead to increased attention from both malicious threat actors and cyber security researchers trying to uncover new vulnerabilities, we are working closely with our industry partners to take all appropriate steps to address any issues,” the company said.
NIST’s advisory said the bug “could allow an unauthenticated attacker to gain unauthorised access to MOVEit Transfer's database."
"An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content," NIST stated.
When it discovered the bug, Progress disabled HTTPs traffic on MOVEit Cloud, and asked customers “to take down their HTTP and HTTPs traffic to safeguard their environments”.
Progress said it has not seen any evidence that the new vulnerability was being exploited, and has updated a knowledge base article to tell customers how to apply the latest patch.
Problems with MOVEit first emerged early in June, with victims of the earlier bug including British Airways, the BBC, and several unnamed US government agencies.
