The new flaws were found during a full code review by security firm Huntress. This is after the original zero-days were fixed. The vulnerabilities identified by Huntress exist in all versions of MOVEit and allow an unauthenticated attacker to send a malicious payload to an internet exposed MOVEit Server to either modify or extract data contained in the database. As of this writing there is no evidence that this new flaw is being actively exploited, but any MOVIEit customers are advised to patch now. If you are using the cloud hosted version of MOVEit the patch has already been installed so you should be covered from this latest threat.

The series of events that has impacted MOVEit MFT and the people using it are another example of the importance of proper application testing, the creation of a proper SBOM, and tracking all the pieces involved in making your service work. We hope that Progress and other organizations take this lesson to heart and make changes to how they run their services. We also hope that customers take this to heart as well and require service providers to show proof of proper testing and security before taking on a new service.

Stay safe out there