Progress MOVEit Transfer Critical Vulnerability
A SQL injection vulnerability in the MOVEit Transfer web application is being actively exploited in the wild
Summary
A SQL injection vulnerability in the MOVEit Transfer web application is being actively exploited in the wild
Affected platforms
The following platforms are known to be affected:
Threat details
Take immediate action
The Progress MOVEit Transfer security advisory urges immediate mitigation action to prevent unauthorised access to MOVEit Transfer Environments and also to check for potential indicators of compromise (IoCs) over the past 30 days. Further detailed information, including IoCs and security updates, are included in the advisory.
Introduction
Progress (formerly Ipswitch) has released security updates and mitigations for a critical SQL injection vulnerability found in the MOVEit Transfer web application, a managed secure file transfer tool. The critical vulnerability could allow an unauthenticated, remote attacker to escalate privileges, gain access to the environment, and infer information about the structure and contents of the database. The attacker could also have the ability to execute SQL statements or delete database elements.
Active Exploitation in the wild
Several intelligence sources are reporting active exploitation in the wild. Affected organisations are strongly encouraged to review the advisory and take steps to mitigate and remediate the vulnerability.
The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2023-34362 to their Known Exploited Vulnerability Catalog.
Threat updates
| Date | Update |
|---|---|
| 5 Jun 2023 |
CVE added to NIST & CVE List
This vulnerability has been changed to reflect the following:
Additionally, new IoCs were added to the security advisory. |
| 2 Jun 2023 |
Changes to the security advisory and reports of active exploitation in the wild
This cyber alert has been altered to reflect the following changes. The vulnerability has been announced on the advisory as being a SQL injection vulnerability. A CVE has not been announced. The recommended remediation has changed since this Cyber Alert was first issued. Three new steps have been added to prevent successful exploitation of the SQL injection vulnerability in MOVEit Transfer environments. Instructions in some of the previous steps have changed, especially in Step 2. Affected organisations are encouraged to follow the remediation listed in the advisory. Active exploitation has been reported in the wild. |
Remediation advice
Affected organisations are encouraged to review the Progress Community advisory MOVEit Transfer Critical Vulnerability (May 2023) and immediately apply mitigations and updates as soon as practicable. Indicators of compromise are also included in the advisory.
Remediation steps
| Type | Step |
|---|---|
| Action |
Step 1: Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment. More detailed information is in the security advisory. |
| Action |
Step 2: Review, Delete and Reset
More detailed information is in the security advisory. |
| Patch |
Step 3: Apply the security update to a fixed version. All supported MOVEit Transfer versions are available, and a special patch is available for MOVEit Transfer 2020.1.x. More detailed information is in the security advisory. |
| Guidance |
Step 4: Verification More detailed information is in the security advisory. |
| Guidance |
Step 5: Enable all HTTP and HTTPs traffic to your MOVEit Transfer environment More detailed information is in the security advisory. |
| Guidance |
Step 6: Continuous Monitoring More detailed information is in the security advisory. |
| Guidance |
Please see here for MOVEit Security Best Practices |
Definitive source of threat updates
Last edited: 5 June 2023 3:09 pm