Progress Software has discovered a vulnerability in its file transfer software MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment, the company said in a security advisory.\u00a0\u201cA SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer\u2019s database,\u201d the company said in the post, adding that depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements.\u00a0MOVEit Transfer is designed to allow enterprises to transfer files between business partners and customers securely.\u00a0\u201cAll MOVEit Transfer versions are affected by this vulnerability,\u201d Progress said in the advisory. The company has made patches available for versions 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1).\u00a0The vulnerability is yet to be assigned a CVE and CVS score.\u00a0The vulnerability has been exploitedSeveral cybersecurity firms have reported that threat actors have likely already exploited the vulnerability. \u201cProgress Software is advising MOVEit customers to check for indicators of unauthorized access over at least the past 30 days, which implies that attacker activity was detected before the vulnerability was disclosed,\u201d Rapid7 said in a blog post.As of May 31, there were roughly 2,500 instances of MOVEit Transfer exposed to the public internet, the majority of which look to be in the US, Rapid7 said in the blog. The firm has identified the same web shell name in multiple customer environments, which may indicate automated exploitation.\u00a0The web shell code can first determine if an inbound request contains a header named X-siLock-Comment, and returns a 404 \u201cNot Found\u201d error if the header is not populated with a specific password-like value.\u201cAs of June 1, 2023, all instances of Rapid7-observed MOVEit Transfer exploitation involve the presence of the file human2.aspx in the wwwroot folder of the MOVEit install directory (human.aspx is the native aspx file used by MOVEit for the web interface),\u201d Rapid7 said in the blog.\u00a0Users advised reviewing activity for the last 90 daysCybersecurity firm GreyNoise has observed scanning activity for the login page of MOVEit Transfer located at \/human.aspx as early as March 3rd, 2023.\u201cWhile we have not observed activity directly related to exploitation, all of the 5 IPs we have observed attempting to discover the location of MOVEit installations were marked as \u201cMalicious\u201d by GreyNoise for prior activities, the company said in a blog post, adding that based on the scanning activity observed, it is recommended that users of MOVEit Transfer should extend the time window for their review of potentially malicious activity to at least 90 days.\u00a0Similarly, TrustedSec, also noted that the backdoors have been uploaded to public sites since May 28, 2023, \u201cmeaning the attackers likely took advantage of the Memorial Day holiday weekend to gain access to systems. There have also been reports of data exfiltration from affected victims,\u201d TrustedSec said in a blog post.Mitigation recommendationsProgress advises users to deny all HTTP (TCP\/80) and HTTPS (TCP\/443) traffic to the MOVEit environment. Note that this will block all access to the system, but SFTP\/FTP,\u00a0 which currently appears unaffected, will still work.The company also advises isolating the servers by blocking inbound and outbound traffic and inspecting the environments for possible indicators of compromise, and if so, deleting them before applying the fixes.\u201cFile transfer solutions have been popular targets for attackers, including ransomware groups, in recent years. We strongly recommend that MOVEit Transfer customers prioritize mitigation on an emergency basis,\u201d Rapid7 said in the post.\u00a0An alert urging users and organizations to follow the mitigation steps to secure against any malicious activity has also been issued by CISA.Update: Microsoft has attributed the MOVEit exploit to the Clop ransomware group.