Progress Software Says Purported Bug in MOVEit Isn’t a Fourth ‘Zero Day’

Progress Software Corp. said it has investigated a new purported flaw in its file-sharing software submitted by an anonymous researcher and determined it is not a zero day, the term used for a vulnerability that doesn’t have a fix.

(Bloomberg) — Progress Software Corp. said it has investigated a new purported flaw in its file-sharing software submitted by an anonymous researcher and determined it is not a zero day, the term used for a vulnerability that doesn’t have a fix.

The company’s MOVEit software is at the center of an ongoing hacking campaign by a group called Clop. The Russian-speaking group exploited a zero day in the software, claiming to steal files from hundreds of companies and organizations. In the weeks since the breach was discovered, researchers discovered two more zero days. Progress has issued fixes, or patches, for the three zero days that have been identified.

The anonymous researcher found the third zero day and thought he had found a fourth, which he submitted to Progress.

“We have confirmed that this is not a vulnerability,” said John Eddy, spokesperson for Progress.

The researcher, who describes himself as an exploit writer based in Argentina and goes by @MCKSysAr Twitter handle, confirmed the verdict. The exploit writer told Bloomberg he initially thought he had found a fourth zero day as a result of code analysis he conducted. But he said after further testing it, it was blocked by extra layers of code in the existing software.

More stories like this are available on bloomberg.com

©2023 Bloomberg L.P.