Dive Brief:
- Progress Software disclosed two new high-severity vulnerabilities in the beleaguered MOVEit file-transfer service last week. A privilege escalation path vulnerability, CVE-2023-6218, and a cross-site scripting vulnerability, CVE-2023-6217, were disclosed and patched Nov. 29.
- The additional set of vulnerabilities brings the total number of CVEs in MOVEit to eight since a zero-day vulnerability, CVE-2023-34362, was widely exploited in late May. A spree of related attacks by the Clop ransomware group has impacted nearly 2,700 organizations and at least 84 million people, according to Emsisoft.
- The company said it had no evidence the latest vulnerabilities have been actively exploited as of Wednesday, but declined to say when they were discovered.
Dive Insight:
Progress Software has disclosed eight vulnerabilities in MOVEit over the last six months. The enterprise software company separately disclosed eight vulnerabilities in WS_FTP Server, another file-transfer service, all at once in late September.
The pace and scale of vulnerabilities disclosed by Progress Software since May underscores a recurring trend of security issues in the company’s products, particularly file-transfer services which contain highly-sensitive data.
“Researchers and threat actors alike have these file-transfer tools in their sights now more than perhaps ever before, so it's not entirely surprising that more vulnerabilities are being discovered in Progress Software's offerings,” Emily Austin, senior researcher and security research manager at Censys, said via email.
“One of the two vulnerabilities in their recent advisory was apparently found internally by their engineers, which is a good sign that they're at least trying to identify and remediate issues,” Austin said
The latest disclosure indicates the company is taking steps to root out problems in its software and help its customers mitigate vulnerabilities before threat actors exploit them for attacks.
“We formalized a regular service pack program for MOVEit products this year to provide a predictable, simple and transparent process for product and security fixes to make it easier for customers to adopt new updates,” a company spokesperson said Wednesday.
“We have no evidence that the vulnerabilities patched in the November service pack have been exploited,” the spokesperson said.
Other vulnerabilities disclosed in MOVEit since late May include: