DIVD-2023-00028 - SQL Injection in MOVEit Transfer - CVE-2023-36934

Summary

Progress has discovered a new SQL Injection vulnerability in their product MOVEit Transfer, a managed file transfer application. Just like the previous vulnerability, misuse of this vulnerability could lead to privilege escalation and data theft.

What you can do

Progress has released patches for this vulnerability. If you haven’t applied the patch for the previous vulnerabilities (CVE-2023-34362), it’s important to follow the following remediation steps:

• Add firewall rules that block access to HTTP and HTTPS on ports 80 and 443
• review and remove unauthorized accounts and files

After following these steps it’s recommended to update to the latest version of MOVEit Transfer.

What we are doing

DIVD is working on identifying vulnerable parties and notifying them. We do this by finding MOVEit instances and extracting the version name from them. Vulnerable parties will receive an email from DIVD.

Timeline

More information

• Bleeping computer article about this vulnerability
• MOVEit transfer knowledge base
• CVE-2023-36934