XM Cyber’s Research team is closely observing the emergence of a zero-day vulnerability in Progress Software’s popular managed file transfer solution, MOVEit Transfer. On May 31, Progress Security informed customers via a security advisory about the critical-zero day vulnerability which had already been observed in the wild. According to Bleeping Computer, attacks using the vulnerability were first observed on May 27th, 3 days before Progress released their advisory.
Privilege escalation and unauthorized access
When exploited, this vulnerability, which is being tracked as CVE-2023-34362, could lead to privilege escalation and provide unauthorized access, allowing attackers to enter environments and exfiltrate data. To date, there are indicators showing that many US-based organizations using the software have already been affected, and there are over 2500 potentially vulnerable instances which can be publicly accessed, according to Shodan.
Not a lot is known about the exploit as it is still relatively new. But after some discussion about whether it was an unrestricted file upload vulnerability or SQL injection vulnerability, it is now known that this is an SQL injection vulnerability, which could allow attackers to make their way into MOVEit Transfer’s database. According to the advisory, “depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements…exploitation of unpatched systems can occur via HTTP or HTTPS.”
Critical and all versions are susceptible
In Progress Software’s advisory, they stress the critical nature of the vulnerability and that all MOVEit Transfer versions are susceptible. They provide 3 levels of guidance on how to mitigate: the first is to deny service and block all HTTP/HTTPs traffic. Next, they suggest deleting unauthorized files and user accounts. Then they advise patching the affected version. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also issued an alert imploring users to follow the steps listed in the Progress Software advisory to avoid infiltration. On a positive note, Progress states that, “At this time, it is important to note that we have no evidence that the cloud service has suffered any exfiltration of data in an unauthorized manner.”
What to do now
- Map all servers hosting MOVEIt servers and the versions of MOVEIt. The following versions are considered vulnerable:
- MOVEit Transfer 2023.0.0 (15.0)
- MOVEit Transfer 2022.0.x (14.1)
- MOVEit Transfer 2022.0.x (14.0)
- MOVEit Transfer 2021.0.x (13.1)
- MOVEit Transfer 2021.0.x (13.0)
- MOVEit Transfer 2020.1.1 (12.1)
- MOVEit Transfer 2020.0.x (12.0) or older
- Patch all vulnerable servers. XM Cyber customers can prioritize the patching according to critical assets at risk.
- Pay attention for the progress advisory regarding IOCs
We will continue to update this post as further relevant details emerge.