One more essential SQL injection vulnerability has been disclosed and patched in Progress Software program’s MOVEit Switch software program — the fourth such flaw revealed within the area of a month.
The safety bug (CVE-2023-36934) is distinct from the previous zero-day flaw that is being exploited with resounding success by the Cl0p ransomware gang. However like that bug, it may enable unauthenticated cyberattackers to entry MOVEit Switch databases, and from there execute malware, manipulate recordsdata, or exfiltrate data.
“An attacker may submit a crafted payload to a MOVEit Switch software endpoint which may end in modification and disclosure of MOVEit database content material,” in accordance with the Progress advisory on the bug.
The flaw hasn’t been exploited within the wild to date, in accordance with the advisory — however given its severity, customers are urged to patch it as quickly as potential, together with two high-severity vulnerabilities (CVE-2023-36932 and CVE-2023-36933) disclosed on the similar time.
The bugs have an effect on MOVEit Switch variations 12.1.10 and earlier, 13.0.8 and earlier, 13.1.6 and earlier, 14.0.6 and earlier, 14.1.7 and earlier, and 15.0.3 and earlier.
The opposite SQL vulnerabilities revealed since early June are CVE-2023-35708 and CVE-2023-35036, in addition to CVE-2023-34362, which is Cl0p’s goal and was found Memorial Day weekend.
Talking of the Cl0p marketing campaign, the extortion gang is galloping on, claiming 200+ victims to date, together with authorities companies. The blast radius of the marketing campaign has been widened by compromised third-party distributors exposing their downstream clients.
Progress mentioned this week that it plans to launch MOVEit product updates each two months any longer.
