A zero-day vulnerability in Progress Software's MOVEit managed file transfer service is being actively exploited across multiple customer environments, threat intelligence firms warned Thursday.

Progress disclosed the critical vulnerability in an advisory Wednesday, adding it could allow threat actors to escalate privileges and gain unauthorized access to customer environments. It does not yet have an assigned CVE.

Mandiant is currently investigating several intrusions linked to active exploitation of MOVEit and is encouraging all customers using the service to forensically examine their systems for compromise and data theft.

“Mass exploitation and broad data theft has occurred over the past few days,” Mandiant Consulting CTO Charles Carmakal said in a statement.

"Based on the evidence Mandiant has analyzed so far, the earliest known evidence of exploitation occurred on May 27,” Carmakal said. “It’s possible we’ll learn about earlier exploitation as we continue our investigations."

Progress said it’s “extremely important” for all MOVEit customers to apply mitigation measures, including disabling all HTTP and HTTPs traffic to MOVEit environments, immediately. The company released patches for all supported versions of MOVEit Thursday, but did not immediately respond to a request for additional details.

The vulnerability impacts on-prem and cloud-based versions of MOVEit. The vendor, in a status update, said it patched cloud test servers on Thursday and restored HTTPs access.

IoCs, 30 days out

Progress told customers to check for potential indicators of compromise “over at least the past 30 days,” including the creation of unexpected files and unexpected or large file downloads.

Huntress and Rapid7 also shared evidence of active exploits of the MOVEit zero-day vulnerability and indicators of compromise on Thursday.

“As of May 31, there were roughly 2,500 instances of MOVEit Transfer exposed to the public internet, the majority of which look to be in the United States,” Caitlin Condon, senior manager of vulnerability research at Rapid7, said in a blog post, referencing Shodan data.

Huntress, in a post on Reddit, said it has observed less than 10 hosts with currently known indicators of compromise, including exploits that occurred on Tuesday.

This is the third high-profile, actively exploited vulnerability currently linked to a file-transfer service this year.

Ransomware groups were still actively exploiting a vulnerability in unpatched versions of IBM Aspera Faspex as recently as late March, almost four months after a patch was first made available.

Threat actors affiliated with the Clop ransomware group claimed almost 200 victims by exploiting a zero-day vulnerability in Fortra’s GoAnywhere file-transfer service in March.

Customers impacted by the MOVEit zero-day vulnerability should prepare for potential extortion and publication of stolen data, Carmakal said.

“Mass exploitation of zero-day vulnerabilities with other managed file transfer solutions have resulted in data theft, extortion, publication of stolen data and victim shaming,” Carmakal said.