The vulnerability in MOVEit Transfer was discovered on May 31st and caused a lot of excitement as it was immediately exploited by the APT group CLOP and stolen a lot of data. The manufacturer immediately offered a patch, which is already out of date, as a second vulnerability was found in which now affects MOVEit Transfer and also MOVEit Cloud.
For many companies, the situation is far from over. After the first vulnerability in The manufacturer Progress Software immediately offered MOVEit Transfer a suitable patch. But the time was probably enough for the APT group CLOP to attack dozens of companies and extract lots of data. In Germany, this may have happened with the AOK. At least that's what the BSI claims in a report in which a data leak was observed.
MOVEit: Another vulnerability - new patch is available
Progress Software said it worked with external cybersecurity experts to further review the existing code. One found on June 09, 2023 another vulnerability. Since this is not closed by the first patch, companies urgently need to install a second patch - for MOVEit Transfer and MOVEit Cloud. This is also available online. The following gaps must be closed:
Patch 1: CVE-2023-34362 (May 31, 2023)
Patch 2: CVE-2023-35036 (June 9, 2023)
While investigation of the code is ongoing, Progress Software currently sees no further evidence that this newly discovered vulnerability has been exploited.
Now MOVEit Cloud is also affected
In addition to MOVEit Transfer in particular, the second patch also affects MOVEit Cloud users, as they were not actually affected by the first vulnerability. This security is now over as long as the new second patch is not installed.
More at Progress.com