June 2, 2023

To: The Chief Information Security Officers of All Regulated Entities

From: The New York Department of Financial Services

Re: MOVEit Transfer Vulnerability

On June 1, 2023, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) and others announced that Progress Software (“Progress”) released a security advisory for a vulnerability in MOVEit Transfer—a managed file transfer software.

According to Progress’s website, a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an un-authenticated attacker to gain unauthorized access to MOVEit Transfer's database. This vulnerability could lead to escalated privileges and potential unauthorized access to the environment. If you are a MOVEit Transfer customer, Progress recommends you take immediate action, including the mitigation measures listed on their website and patching affected versions.

Threat actors are actively exploiting this vulnerability. Successful exploitation of the vulnerability can be used to deploy ransomware, steal data, and disrupt operations.

All regulated entities should promptly assess risk to their organization, customers, consumers, and third party service providers based upon the evolving information and take action to mitigate risk. As you assess your risk, we recommend reviewing the CISA Alert and the MOVEit Security Advisory.

Regulated entities are reminded to report cybersecurity events that meet the criteria of 23 NYCRR Section 500.17(a) as promptly as possible and within 72 hours at the latest via the secure DFS Portal, which can be accessed from DFS’s Cybersecurity Resource Center. DFS considers evidence of unauthorized access to information systems, such as webshell installation, even if there has been no malware deployed or data exfiltrated, a reportable Cybersecurity Event pursuant to 23 NYCRR Section 500.17(a)(2).