A critical vulnerability in Progress Software’s MoveIt Transfer is under exploitation, according to a report from Rapid7.
The zero-day vulnerability, which Progress disclosed Wednesday, is a SQL injection flaw that could lead to escalated privileges and potential unauthorized access in the managed file transfer (MFT) product. Currently, there is no patch available for the flaw, and it has not been assigned a CVE.
Progress’ advisory did not note any exploitation activity. However, in a blog post Thursday morning, Rapid7 said it is currently observing active exploitation of the flaw.
“We have observed an uptick in related cases since the vulnerability was disclosed publicly yesterday (May 31, 2023); file transfer solutions have been popular targets for attackers, including ransomware groups, in recent years,” wrote Caitlin Condon, vulnerability research manager at Rapid7. “We strongly recommend that MoveIt Transfer customers prioritize mitigation on an emergency basis.”
Condon’s post referenced the attacks on Fortra’s GoAnywhere MFT software earlier this year. The attacks on GoAnywhere began in late January with zero-day exploitation of a remote code injection flaw, CVE-2023-0669, and continued into February. Many of the attacks appeared to be the work of the Clop and LockBit ransomware gangs.
It’s unclear what threat actors are behind the attacks on the MoveIt Transfer zero-day. Condon wrote that Rapid7 discovered the same web shell in several customer environments, which she said indicates a possible automated exploit. She also noted that there are approximately 2,500 MoveIt Transfer instances exposed to the public internet, with the majority of them being located in the U.S.
In its advisory, Progress urged MoveIt Transfer customers to take “immediate action” by implementing temporary mitigation while the vendor completes work on a patch. The vendor urged customers to immediately disable all HTTP and HTTPS traffic to their MoveIt Transfer instances and to check for potential indicators of compromise over the last 30 days, such as the creation of “unexpected files” or any large file downloads.
TechTarget Editorial contacted Progress Software for comment, but the company has not responded at press time.
Rob Wright is a longtime technology reporter who lives in the Boston area.
