This post provides information about the latest updates as it relates to the security of our MOVEit Transfer and MOVEit Cloud products. The security of our customers and their environments is of the highest importance to us. That is why we have continued to collaborate with cybersecurity leaders such as CISA (Cybersecurity & Infrastructure Security Agency), Crowdstrike, Huntress, Mandiant, Microsoft and Rapid7, among others, to promote the security of MOVEit Transfer and MOVEit Cloud and validate that we are taking appropriate, responsive measures and sharing important cyber threat intelligence.
The investigation of the MOVEit Transfer and MOVEit Cloud vulnerability (CVE-2023-34362) we previously reported remains ongoing. In an effort to increase the security of the MOVEit platform and its customers, we are partnering with third-party cybersecurity experts to conduct additional detailed code reviews.
As part of these code reviews, cybersecurity firm Huntress worked with us to uncover additional vulnerabilities that could potentially be used by bad actors to stage an exploit. Based upon the evidence to date, these newly identified vulnerabilities (CVE-2023-35036) only impact MOVEit Transfer and MOVEit Cloud and appear to be distinct from the vulnerability reported on May 31 (CVE-2023-34362). It’s important to keep in mind that the investigation remains ongoing; however, we have not seen indications that these newly discovered vulnerabilities (CVE-2023-35036) have been exploited. To the best of our knowledge, at this time, no other Progress products have been impacted.
As of June 9, 2023, we have taken immediate action, developing and releasing a new patch to address the June 9 reported issue (CVE-2023-35036) and have deployed that patch to MOVEit Cloud. We have also communicated to MOVEit Transfer customers the steps they must take to apply the patch and harden their MOVEit Transfer environments. We will continue to update our Security Center if and when additional information becomes available.
We strongly urge our MOVEit Transfer customers to immediately take steps to apply the latest released patch as outlined in the knowledge base article, accessible through the Security Center.
We are thankful for the many cybersecurity researchers in the industry that have been helping us throughout this process. Progress remains dedicated to partnering with the community as part of our ongoing commitment to security.
We are continuing to work around the clock to help our customers protect their environments and we will continue to provide updates as they are available.
Richard Barretto is the Chief Information Security Officer at Progress. Richard and his team are responsible for overseeing and developing the data protection strategy for Progress enterprise. He joined the company back in 2020 and has 20-plus years of experience as a cyber security professional. In his free time, he likes playing tennis and spending time with family.
Let our experts teach you how to use Sitefinity's best-in-class features to deliver compelling digital experiences.Learn More
Subscribe to get all the news, info and tutorials you need to build better business apps and sites
You can also ask us not to share your Personal Information to third parties here: Do Not Sell or Share My Info
We see that you have already chosen to receive marketing materials from us. If you wish to change this at any time you may do so by clicking here.
Thank you for your continued interest in Progress. Based on either your previous activity on our websites or our ongoing relationship, we will keep you updated on our products, solutions, services, company news and events. If you decide that you want to be removed from our mailing lists at any time, you can change your contact preferences by clicking here.