Zero-day Vulnerability in MOVEit Transfer is Being Actively Exploited
A zero-day vulnerability in the MOVEit Transfer managed file transfer software is being actively exploited to steal data. The critical SQL injection flaw can be exploited to allow database access without authentication. Progress Software has released fixes for supported versions of MOVEit Transfer. They have also deployed a fix for MOVEit Cloud. The US Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities catalog.
If you haven't patched yet: You are too late. Technically, this wasn't quite a "0-day" in that the patch appeared a bit ahead of the public exploit.
If the vulnerability fix being due 6/23 on the KEV catalog doesn't support your case to deploy the fix quickly, add that it's being actively exploited. You really don't want to have the conversation about why you didn't deploy the update when you knew the vulnerability was being actively exploited.
Words like ‘zero-day’ and ‘actively exploited’ should be enough for information security professionals to prioritize this vulnerability at the top of their patch list. It now comes down to a race between evil-doers that want to exploit the vulnerability and organizations to patch this software in their enterprise.
Read more in
Bleeping Computer: CISA orders govt agencies to patch MOVEit bug used for data theft