Multiple Critical vulnerabilities have been discovered in Progress Software’s MOVEit Transfer solution. In May, a zero-day High severity SQL injection vulnerability CVE-2023-34362 that could allow authenticated attackers to gain access to the MOVEit Transfer database and other sensitive data.
Researchers subsequently discovered additional MOVEit vulnerabilities in July under attack.
CVE-2023-34362
On May 31, 2023, Progress published details on a vulnerability CVE-2023-34362 in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment.
Shortly afterwards, security experts published technical details and indicators of compromise.
“CrowdStrike incident responders have identified evidence of mass file exfiltration from the MOVEit application, as a result of the webshell activity on compromised MOVEit systems,” Crowdstrike wrote on blog post on June 5, 2023.
Rapid 7 provided a good timeline of events and a full exploit chain of CVE-2023-34362 and subsequent CVEs later discovered on MOVEit solution to include CVE-2023-35708 and CVE-2023-36934.
CVE-2023-35708
On June 15, 2023, Progress discovered an additional vulnerability CVE-2023-35708 in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment.Â
“In Progress MOVEit Transfer versions released before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), 2023.0.3 (15.0.3), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an un-authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content,” Progress noted in the advisory.
CVE-2023-36932 and CVE-2023-36934
In early July, Progress released a MOVEit Transfer 2020.1 (12.1) Service Pack (July 2023) with additional vulnerability fixes for CVE-2023-36932 (High) and CVE-2023-36934 (Critical) that could result in SQL injection.
“In Progress MOVEit Transfer versions released before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), 2023.0.4 (15.0.4), multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database,” Progress noted in the advisory.
“An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content.”
CVE-2023-36933
Regarding High severity CVE-2023-36933, Progress warned that “it is possible for an attacker to invoke a method which results in an unhandled exception. Triggering this workflow can cause the MOVEit Transfer application to terminate unexpectedly.”
CVE-2023-36933 was also fixed in the same MOVEit Transfer 2020.1 (12.1) Service Pack released in July 2023.