December 1,2023 10:06 AM
Follow us on:
Search site...

Critical SQL Injection Vulnerability Uncovered in MOVEit Transfer

June 4, 2023
Security Strategy, Vulnerabilities

Progress Software Corporation has recently disclosed a critical vulnerability in its MOVEit Transfer web application, urging users to take immediate action to mitigate the risk.

The vulnerability, officially designated as CVE-2023-34362, is an SQL Injection vulnerability that could potentially lead to escalated privileges and unauthorized access. It affects versions prior to 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1) and has already been exploited in the wild in May and June 2023.

All versions of MOVEit Transfer are vulnerable to this exploit. Unpatched systems are particularly susceptible to attacks via HTTP or HTTPS. However, a variety of products are not impacted, including MOVEit Automation, MOVEit Client, MOVEit Add-in for Microsoft Outlook, MOVEit Mobile, WS_FTP Client, WS_FTP Server, MOVEit EZ, MOVEit Gateway, MOVEit Analytics, and MOVEit Freely.

The company advises MOVEit Transfer customers to take immediate action. Although a security patch is in the works, users are encouraged to implement a number of mitigation measures to defend their systems from potential unauthorized access.

These steps include temporarily disabling HTTP and HTTPS traffic, a comprehensive review of the system, deletion of unauthorized files and user accounts, resetting service account credentials for affected systems, application of available security patches, and re-enabling of HTTP and HTTPS traffic. Continuous monitoring, even after these steps are taken, is crucial to ensure the system’s security.

Progress also suggests implementing general security best practices, such as regularly reviewing and removing any unauthorized user accounts, updating network firewall rules, restricting remote access to trusted IP addresses, and enabling multi-factor authentication.

Apply the Patch

Affected VersionFixed VersionDocumentation
MOVEit Transfer 2023.0.0 (15.0)MOVEit Transfer 2023.0.1MOVEit 2023 Upgrade Documentation
MOVEit Transfer 2022.1.x (14.1)MOVEit Transfer 2022.1.5MOVEit 2022 Upgrade Documentation
MOVEit Transfer 2022.0.x (14.0)MOVEit Transfer 2022.0.4
MOVEit Transfer 2021.1.x (13.1)MOVEit Transfer 2021.1.4MOVEit 2021 Upgrade Documentation
MOVEit Transfer 2021.0.x (13.0)MOVEit Transfer 2021.0.6
MOVEit Transfer 2020.1.x (12.1)Special Patch AvailableSee KB 000234559
MOVEit Transfer 2020.0.x (12.0) or olderMUST upgrade to a supported versionSee MOVEit Transfer Upgrade and Migration Guide

Certain potential indicators of compromise have been highlighted by the company. These include unexpected file paths and filenames, unusual HTTP requests, unknown user accounts, unrecognized IPv4 addresses or CIDR, unknown domains, and SHA256 hashes that match those listed in the indicators table.

Indicators of Compromise

IndicatorTypeDate Added
C:\Windows\TEMP\[random]\[random].cmdlineFolder Path01-Jun-2023
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\[random]\[random]\App_Web_[random].dllFilename02-Jun-2023
human2.aspxFilename01-Jun-2023
human2.aspx.lnkFilename01-Jun-2023
POST /moveitisapi/moveitisapi.dllHTTP Request01-Jun-2023
POST /guestaccess.aspxHTTP Request01-Jun-2023
POST /api/v1/folders/[random]/filesHTTP Request01-Jun-2023
GET /human2.aspxHTTP Request02-Jun-2023
Health Check ServiceUser Account01-Jun-2023
5.252.23.116IPv401-Jun-2023
5.252.25.88IPv401-Jun-2023
84.234.96.104IPv401-Jun-2023
89.39.105.108IPv401-Jun-2023
138.197.152.201IPv401-Jun-2023
148.113.152.144IPv401-Jun-2023
198.12.76.214IPv401-Jun-2023
198.27.75.110IPv403-Jun-2023
209.97.137.33IPv401-Jun-2023
209.222.103.170IPv401-Jun-2023
188.241.58.0/24CIDR03-Jun-2023
5.252.189.0/24CIDR01-Jun-2023
5.252.190.0/24CIDR01-Jun-2023
5.252.191.0/24CIDR01-Jun-2023
Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/105.0.5195.102+Safari/537.36User Agent02-Jun-2023
dojustit[.]mooo[.]comDomain02-Jun-2023
0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9SHA256 Hash01-Jun-2023
110e301d3b5019177728010202c8096824829c0b11bb0dc0bff55547ead18286SHA256 Hash01-Jun-2023
1826268249e1ea58275328102a5a8d158d36b4fd312009e4a2526f0bfbc30de2SHA256 Hash01-Jun-2023
2ccf7e42afd3f6bf845865c74b2e01e2046e541bb633d037b05bd1cdb296fa59SHA256 Hash01-Jun-2023
58ccfb603cdc4d305fddd52b84ad3f58ff554f1af4d7ef164007cb8438976166SHA256 Hash01-Jun-2023
98a30c7251cf622bd4abce92ab527c3f233b817a57519c2dd2bf8e3d3ccb7db8SHA256 Hash01-Jun-2023
a8f6c1ccba662a908ef7b0cb3cc59c2d1c9e2cbbe1866937da81c4c616e68986SHA256 Hash01-Jun-2023
b5ef11d04604c9145e4fe1bedaeb52f2c2345703d52115a5bf11ea56d7fb6b03SHA256 Hash01-Jun-2023
cec425b3383890b63f5022054c396f6d510fae436041add935cd6ce42033f621SHA256 Hash01-Jun-2023
ed0c3e75b7ac2587a5892ca951707b4e0dd9c8b18aaf8590c24720d73aa6b90cSHA256 Hash01-Jun-2023
0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9SHA256 Hash01-Jun-2023
110e301d3b5019177728010202c8096824829c0b11bb0dc0bff55547ead18286SHA256 Hash01-Jun-2023
1826268249e1ea58275328102a5a8d158d36b4fd312009e4a2526f0bfbc30de2SHA256 Hash01-Jun-2023
2ccf7e42afd3f6bf845865c74b2e01e2046e541bb633d037b05bd1cdb296fa59SHA256 Hash01-Jun-2023
58ccfb603cdc4d305fddd52b84ad3f58ff554f1af4d7ef164007cb8438976166SHA256 Hash01-Jun-2023
98a30c7251cf622bd4abce92ab527c3f233b817a57519c2dd2bf8e3d3ccb7db8SHA256 Hash01-Jun-2023
a8f6c1ccba662a908ef7b0cb3cc59c2d1c9e2cbbe1866937da81c4c616e68986SHA256 Hash01-Jun-2023
b5ef11d04604c9145e4fe1bedaeb52f2c2345703d52115a5bf11ea56d7fb6b03SHA256 Hash01-Jun-2023
cec425b3383890b63f5022054c396f6d510fae436041add935cd6ce42033f621SHA256 Hash01-Jun-2023
ed0c3e75b7ac2587a5892ca951707b4e0dd9c8b18aaf8590c24720d73aa6b90cSHA256 Hash01-Jun-2023

Bob Jones Contributor

Related posts