Skip to the content.

DIVD-2023-00023 - SQL injection in MOVEit Transfer - CVE-2023-34362

Our reference DIVD-2023-00023
Case lead Alwin Warringa
Author Max van der Horst
Researcher(s)
CVE(s)
Product MOVEit Transfer
Versions
  • < 2021.0.6 (13.0.6)
  • < 2021.1.4 (13.1.4)
  • < 2022.0.4 (14.0.4)
  • < 2022.1.5 (14.1.5)
  • < 2023.0.1 (15.0.1)
Recommendation Apply firewall rules to block any HTTP traffic on ports 80 and 443 until patch installment, review and delete any unauthorized users and files, install the provided patch.
Status Closed
Last modified 27 Jul 2023 13:51 CEST

Summary

Progress has discovered the active exploitation of a SQL injection vulnerability in MOVEit Transfer, a managed file transfer application. This vulnerability is already being picked up by national CERTs and has already been listed by CISA as Known Exploited Vulnerability (KEV). Misuse of this vulnerability could lead to privilege escalation and theft of data.

What you can do

Progress has listed two mitigations and a remediation step. If you cannot immediately patch, make sure to add firewall rules that block HTTP traffic on ports 80 and 443. Additionally, it is wise to review and remove any unauthorized users or files. If you can, install the provided patch immediately.

What we are doing

DIVD is currently working to identify vulnerable parties and notifying these. We do this by finding MOVEit Transfer instances and extracting the version name. Vulnerable parties will receive a notification with remediation steps.

Timeline

Date Description
02 Jun 2023-
27 Jul 2023
NCSC-NL publishes advisory.
02 Jun 2023 Vulnerability added to CISA’s Known Exploited Vulnerabilities.
02 Jun 2023 DIVD starts researching fingerprint.
03 Jun 2023 DIVD conducts first scan.
03 Jun 2023 DIVD performs first mailrun.
03 Jun 2023 First version of this casefile.
15 Jun 2023 New zero day vulnerability found and published online
03 Jul 2023 DIVD sent out a second and final round of notifications.
25 Jul 2023 Case closed.
gantt title DIVD-2023-00023 - SQL injection in MOVEit Transfer - CVE-2023-34362 dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2023-00023 - SQL injection in MOVEit Transfer - CVE-2023-34362 (55 days) :2023-06-02, 2023-07-27 section Events NCSC-NL publishes advisory. (55 days) : 2023-06-02, 2023-07-27 Vulnerability added to CISA’s Known Exploited Vulnerabilities. : milestone, 2023-06-02, 0d DIVD starts researching fingerprint. : milestone, 2023-06-02, 0d DIVD conducts first scan. : milestone, 2023-06-03, 0d DIVD performs first mailrun. : milestone, 2023-06-03, 0d First version of this casefile. : milestone, 2023-06-03, 0d New zero day vulnerability found and published online : milestone, 2023-06-15, 0d DIVD sent out a second and final round of notifications. : milestone, 2023-07-03, 0d Case closed. : milestone, 2023-07-25, 0d

More information