Full Report
Detect and mitigate CVE-2023-34362, a remote code execution vulnerability in MOVEit Transfer exploited in the wild. Organizations should patch urgently.
Analysis Summary
# Vulnerability: Multiple Critical Vulnerabilities in Progress MOVEit Transfer (SQLi & RCE)
Progress MOVEit Transfer is affected by multiple critical vulnerabilities, including a known exploited SQL Injection zero-day (CVE-2023-34362) used in widespread attacks by the Cl0p ransomware group.
## CVE Details
- **CVE ID:** CVE-2023-34362 (RCE via SQLi)
- **CVSS Score:** Not explicitly stated, but described as "critical" and actively exploited.
- **CWE:** SQL Injection (CWE-89)
- **CVE ID:** CVE-2023-35036 (SQL Injection)
- **CVSS Score:** Not explicitly stated, but described as "critical".
- **CWE:** SQL Injection (CWE-89)
- **CVE ID:** CVE-2023-35708 (SQL Injection)
- **CVSS Score:** Not explicitly stated, but described as "critical".
- **CWE:** SQL Injection (CWE-89)
## Affected Systems
- **Products:** Progress MOVEit Transfer (Windows-Server-based MFT service)
- **Versions:** All major versions prior to the patched minor versions listed below.
- **Configurations:** Applies to instances running on MySQL, Microsoft SQL Server, or Azure SQL databases.
| Affected Major Version | Fixed Minor Version |
| :--- | :--- |
| 2023.0.0 | 2023.0.3 (15.0.3) |
| 2022.1.x | 2022.1.7 (14.1.7) |
| 2022.0.x | 2022.0.6 (14.0.6) |
| 2021.1.x | 2021.1.6 (13.1.6) |
| 2021.0.x | 2021.0.8 (13.0.8) |
| 2020.1.x | 2020.1.10 (12.1.10) |
## Vulnerability Description
The primary vulnerability detailed, **CVE-2023-34362**, is a critical SQL Injection flaw in the MOVEit Transfer web application that allows an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database. Successful exploitation can lead to information disclosure, alteration, or deletion of database elements, potentially leading to Remote Code Execution (RCE). CVE-2023-35036 and CVE-2023-35708 are additional critical SQL injection vulnerabilities that could allow attackers to modify and disclose database content.
## Exploitation
- **Status:** **Exploited in the wild**. CVE-2023-34362 exploitation has been observed since May 2023, with reports suggesting activity as far back as March 2023 or mid-2021.
- **Complexity:** Likely **Low** for CVE-2023-34362, as it allows for unauthenticated exploitation.
- **Attack Vector:** **Network** (via the MOVEit Transfer web application endpoint).
## Impact
- **Confidentiality:** High (Disclosure of database content).
- **Integrity:** High (Ability to alter or delete database elements).
- **Availability:** Information not explicitly given, but data alteration/deletion can lead to service disruption.
## Remediation
### Patches
Customers must immediately update to the following fixed minor versions:
- **2023.0.3** (for 2023.0.0 branch)
- **2022.1.7** (for 2022.1.x branch)
- **2022.0.6** (for 2022.0.x branch)
- **2021.1.6** (for 2021.1.x branch)
- **2021.0.8** (for 2021.0.x branch)
- **2020.1.10** (for 2020.1.x branch)
### Workarounds
1. **Temporarily block HTTP/HTTPS access** to MOVEit Transfer instances and rely on **FTP** instead, as FTP access is not affected by these specific vulnerabilities.
2. If using Azure integration or an online SQL database (like Azure SQL), **rotate cloud keys and database credentials** immediately after updating the MOVEit Transfer configuration with the new keys.
## Detection
- **Indicators of Compromise:** Refer to the vendor advisory for a full list of Indicators of Compromise (IoCs).
- **Detection Methods and Tools:** Security teams are advised to check environments for exposed MOVEit Transfer instances (Censys data suggests many are publicly exposed, particularly on Azure). Wiz customers can use the pre-built queries in the Wiz Threat Center to locate vulnerable instances. Scanning activity related to MOVEit Transfer login pages was observed as early as March 3rd, 2023.
## References
- Vendor advisory (May 31, 2023): hxxps://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
- Vendor advisory (June 9, 2023 - CVE-2023-35036): hxxps://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-CVE-2023-35036-June-9-2023
- Vendor advisory (June 15, 2023 - CVE-2023-35708): hxxps://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-15June2023