June 5, 2023

A zero-day vulnerability in MOVEit transfer MFT application is being exploited in the wild

Progress Software has patched a zero day vulnerability in MOVEit Transfer managed file transfer (MFT) solution that could lead to escalated privileges and potential unauthorized access to the environment.

This was exploited in the wild in May and June 2023. Exploitation of unpatched systems can occur via HTTP or HTTPS.

The 0-Day Vulnerability

• CVE-2023-34362 – (CVSS 3.1: 5.5, Medium) – SQL injection vulnerability that allows an unauthenticated attacker to access MOVEit Transfer database and execute arbitrary code. An attacker my be able to gather information about the database structure and contents, and execute SQL statements that alter or delete database elements. The last impact varies based on the specific database engine being used such as: MySQL, Microsoft SQL Server, or Azure SQL.

Vulnerable Versions

• MOVEit Transfer 2023.0.0 (15.0)
• MOVEit Transfer 2022.1.x (14.1)
• MOVEit Transfer 2022.0.x (14.0)
• MOVEit Transfer 2021.1.x (13.1)
• MOVEit Transfer 2021.0.x (13.0)
• MOVEit Transfer 2020.1.x (12.1)
• MOVEit Transfer 2020.0.x (12.0)
• MOVEit Cloud

Mitigation and Workaround

CYREBRO recommends patching MOVEit Transfer instances according to Progress Software Advisory.

Those who cannot immediately apply security updates can also disable all HTTP and HTTPS traffic to their MOVEit Transfer environments to remote the attack surface.

References: Progress Software Advisory