Working to Enhance the Security of MOVEit Transfer Products through Partnership and Transparency

June 13, 2023 Security and Compliance, MOVEit

This post provides information about the latest updates as it relates to the security of our MOVEit Transfer and MOVEit Cloud products. The security of our customers and their environments is of the highest importance to us. That is why we have continued to collaborate with cybersecurity leaders such as CISA (Cybersecurity & Infrastructure Security Agency), Crowdstrike, Huntress, Mandiant, Microsoft and Rapid7, among others, to promote the security of MOVEit Transfer and MOVEit Cloud and validate that we are taking appropriate, responsive measures and sharing important cyber threat intelligence.

Extensive Code Review & New Patch

The investigation of the MOVEit Transfer and MOVEit Cloud vulnerability (CVE-2023-34362) we previously reported remains ongoing. In an effort to increase the security of the MOVEit platform and its customers, we are partnering with third-party cybersecurity experts to conduct additional detailed code reviews. 

As part of these code reviews, cybersecurity firm Huntress worked with us to uncover additional vulnerabilities that could potentially be used by bad actors to stage an exploit. Based upon the evidence to date, these newly identified vulnerabilities (CVE-2023-35036) only impact MOVEit Transfer and MOVEit Cloud and appear to be distinct from the vulnerability reported on May 31 (CVE-2023-34362). It’s important to keep in mind that the investigation remains ongoing; however, we have not seen indications that these newly discovered vulnerabilities (CVE-2023-35036) have been exploited. To the best of our knowledge, at this time, no other Progress products have been impacted.

As of June 9, 2023, we have taken immediate action, developing and releasing a new patch to address the June 9 reported issue (CVE-2023-35036) and have deployed that patch to MOVEit Cloud. We have also communicated to MOVEit Transfer customers the steps they must take to apply the patch and harden their MOVEit Transfer environments. We will continue to update our Security Center if and when additional information becomes available.

We strongly urge our MOVEit Transfer customers to immediately take steps to apply the latest released patch as outlined in the knowledge base article, accessible through the Security Center.

Gratitude for Our Industry Collaborators

We are thankful for the many cybersecurity researchers in the industry that have been helping us throughout this process. Progress remains dedicated to partnering with the community as part of our ongoing commitment to security.

We are continuing to work around the clock to help our customers protect their environments and we will continue to provide updates as they are available.

Richard Barretto

Richard Barretto is the Chief Information Security Officer at Progress. Richard and his team are responsible for overseeing and developing the data protection strategy for Progress enterprise. He joined the company back in 2020 and has 20-plus years of experience as a cyber security professional. In his free time, he likes playing tennis and spending time with family. 

Read next An Update on the Steps We are Taking to Protect MOVEit Customers