Dangerous vulnerabilities have once again emerged in the MoveIT software. In the meantime, Progress Software has already released patches to fix these problems.

Progress Software has again released a series of patches, again for (three) vulnerabilities found in MoveIT’s data transfer software.

New vulnerabilities, old problems

Progress Software has been having a rough time lately. It’s only been a few weeks since the latest vulnerabilities in MoveIT came to light. Of the three new reports, the most significant is CVE-2023-36934. This vulnerability allows an attacker to access an application’s database after performing a classic SQL injection.

What’s unique about CVE-2023-36934 and the earlier vulnerabilities is that hackers don’t even need to be logged into the system they’re attacking. Poorly written application code can cause a system to read data input as a request. Hackers can exploit such a bug after SQL injection by adding code and manipulating the database.

exploitation

The current vulnerabilities share the same characteristics as the recent problems that have been exploited to their hearts’ content by the hacker collective Clop and have already caused many victims. Experts were already afraid of this when the leaks became known.

It is not yet known if these new vulnerabilities have already been exploited, but Progress Software advises all users not to take any risks and install the updates immediately if possible.