CISA has added an actively exploited security bug in the Progress MOVEit Transfer managed file transfer (MFT) solution to its list of known exploited vulnerabilities, ordering U.S. federal agencies to patch their systems by June 23.
The critical flaw (tracked as CVE-2023-34362) is an SQL injection vulnerability that enables unauthenticated, remote attackers to gain access to MOVEit Transfer's database and execute arbitrary code.
According to the November 2022 binding operational directive (BOD 22-01), Federal Civilian Executive Branch Agencies (FCEB) must patch this security vulnerability once added to CISA's Known Exploited Vulnerabilities catalog.
While BOD 22-01 primarily focuses on federal agencies, it is highly recommended that private companies also prioritize securing their systems against this actively exploited MOVEit Transfer flaw.
Progress advises all customers to patch their MOVEit Transfer instances to block exploitation attempts and potential breaches.
Those who cannot immediately apply security updates can also disable all HTTP and HTTPS traffic to their MOVEit Transfer environments to remote the attack surface.
You can find the list of affected MOVEit Transfer versions and the fixed versions in the table embedded below.
Currently, there are more than 2,500 MOVEit Transfer servers on the Internet, most of which are in the United States.