Security Incident: Polyfill and MOVEit
On June 25th, 2024, two vulnerabilities under active exploitation were announced by the National Vulnerability Database (NVD) – one for Progress MOVEit Transfer (CVE-2024-5806) and one for Polyfill.io’s CDN service (CVE-2024-38526). This blog provides an overview of steps you can take to protect your organization and your 3rd party network as well as a summary of our investigation and mitigation efforts.
Description
MOVEit is software for secure data transfers, and Polyfill.io is a CDN service. Many organizations across all industries use these services, and as a result this situation could have widespread implications for organizations of all sizes and industries across the world.
Severity and Impact
If you are a MOVEit Transfer or Polyfill customer, it is extremely important that you take immediate action as noted below in order to help protect your organization. As of this writing, NIST has not completed analysis of either CVE noted above nor assigned any severity ratings. However, various organizations have reported that they have experienced incidents related to these two issues, which means remediation efforts should be expedited.
Step 1: Determine if you are at risk.
- If you are using any of the services listed below, your organization is at risk. See Step 2 below for remediation recommendations.
- Both MOVEit and Polyfill vulnerabilities may indirectly impact your organization if your vendors use either provider in their organization.
- To Assess whether your Third Parties are using MOVEit Transfer or polyfill.io CDN services and if there is any associated impact, you can access the MOVEit Transfer Critical Vulnerability and Polyfill.io Compromised Domain Questionnaires in the Whistic platform under our Questionnaire Standards Library by clicking here.
Affected Services
- MOVEit
- MOVEit Transfer 2023.0.0 through 2023.0.10
- MOVEit Transfer 2023.1.0 through 2023.1.5
- MOVEit Transfer 2024.0.0 through 2024.0.1
- Polyfill
- cdn.polyfill.io
- bootcss.com
Step 2: Immediately rotate credentials and secrets related to the affected services.
- Affected organizations are urged to:
- For MOVEit Customers: Upgrade MOVEit Transfer to version 2023.0.11, 2023.1.6, or 2024.0.2.
- For polyfill.io customers: Remove all references and links to cdn.polyfill.io or bootcss.com.
- All organizations are encouraged to assess their third parties for risks related to these vulnerabilities, where applicable.
Does this affect Whistic?
As a result of our investigation, we have determined that this situation does not directly impact Whistic. Whistic does not use MOVEit or polyfill.io products, and we haven't identified any of our third parties that use these products. We have a structured approach to vulnerability identification and remediation using technologies in both the development lifecycle and in our stage and production environments.