The company behind the MOVEit managed file transfer application is urging customers into a new round of emergency patching after identifying additional vulnerabilities.
Progress Software in a Friday update said it had identified additional SQL injection vulnerabilities allowing attackers access to the MOVEit transfer database. “These newly discovered vulnerabilities are distinct from the previously reported vulnerability,” it wrote.
Likely hundreds of customers have already been affected by an SQL zero-day the company patched on May 31, tracked as CVE-2023-34362.
The Clop ransomware-as-a-service group said it orchestrated the attacks. The Russian-speaking gang has threatened to begin naming victims starting Wednesday (see: Clop Ransomware Gang Asserts It Hacked MOVEit Instances).