Third MOVEit Flaw Discovered in Wake of Clop Hacking Spree

MOVEit developer Progress Software has warned that its file transfer platform is suffering yet another vulnerability that threat actors could exploit.

“Progress has discovered a vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment,” the company said in a June 15 post on its community site.

“If you are a MOVEit Transfer customer, it is extremely important that you take immediate action as noted below in order to help protect your MOVEit Transfer environment,” Progress warns.

Criminals have been exploiting a critical flaw in Progress Software’s popular file transfer tool MOVEit since May, opening up its users to cyber intrusions.

Clop ransomware operators are now extorting hundreds of victim companies who used the flawed tool.

Affected organizations include UK payment service provider Zellis, the BBC, British Airways and Aer Lingus; the Canadian province of Nova Scotia; the University of Rochester in the US state of New York; professional services firm EY; and most recently, British oil and gas giant, Shell. The US Department of Energy (DOE) is also impacted, according to reports.

This is the third weakness signaled by Progress in its tool. The vulnerability has yet to be assigned a CVE number, while a patch is still under development.

The company offers IT administrators a comprehensive list of recommendations to mitigate attacks, as security researchers are reportedly already coming up with proofs-of-concept to exploit the flaw.