DIVD-2023-00028 - SQL Injection in MOVEit Transfer - CVE-2023-36934
|Case lead||Célistine Oosting|
|Recommendation||Update to the applicable version of MOVEit Transfer listed in the versions section.|
|Patch status||Fully patched|
|Last modified||20 Jul 2023 11:20|
Progress has discovered a new SQL Injection vulnerability in their product MOVEit Transfer, a managed file transfer application. Just like the previous vulnerability, misuse of this vulnerability could lead to privilege escalation and data theft.
What you can do
Progress has released patches for this vulnerability. If you haven’t applied the patch for the previous vulnerabilities (CVE-2023-34362), it’s important to follow the following remediation steps:
- Add firewall rules that block access to HTTP and HTTPS on ports 80 and 443
- review and remove unauthorized accounts and files
After following these steps it’s recommended to update to the latest version of MOVEit Transfer.
What we are doing
DIVD is working on identifying vulnerable parties and notifying them. We do this by finding MOVEit instances and extracting the version name from them. Vulnerable parties will receive an email from DIVD.
|06 Jul 2023||Progress announces patches for a new critical vulnerability in MOVEit Transfer|
|10 Jul 2023||DIVD starts initial scans|
|15 Jul 2023||First version of this case file|
|20 Jul 2023||Informed vulnerable parties|