MOVEit MFT CVE-2023-34362

Date: 5/6/2023 | Prepared by: Jason Trapp, DFIR Analyst

Purpose and details

This alert highlights a critical security issue identified in Managed File Transfer (MFT) software MOVEit Transfer for Windows owned by the vendor Progress¹. This vulnerability is tracked with the following Common Vulnerabilities and Exposures (CVE) identifier: CVE-2023-34362. 

This vulnerability awaits analysis to determine the Common Vulnerability Scoring System (CVSS) score. Based on what has been observed, this vulnerability will likely receive a critical score higher than 9. The vulnerability affected both on-prem and cloud versions MOVEit. Progress has reported that the cloud version of MOVEit Transfer has been patched and is no longer vulnerable. 

This SQL injection vulnerability allows an unauthenticated, remote Threat Actor to access the MOVEit Transfer instance. Per Progress’ article, a Threat Actor “may be able to infer information about the structure and contents of the database.” This may provide a Threat Actor with the ability to exfiltrate data.  

Huntress reported exploitation of this issue on 31 May 2023², and it was seen that a .aspx file named “human2.aspx” was dropped into the directory wwwroot.  

This file has been observed to connect to the database and can either: delete the ‘Health Check Service’ user from the database, leak Azure information from response headers, or retrieve any file specified by an X-siLocked-Step2 header or X-siLocked-Step3 header. Security firm GreyNoise has observed scanning activity for the page “human.aspx” as early as 03 March 2023³.  

As of the time of writing this Security Bulletin, it is not known which Threat Actor group(s) are associated with exploiting this vulnerability.  

This is the second Managed File Transfer (MFT) to have a critical vulnerability be discovered in 2023. The first was the GoAnywhere MFT software which is CVE-2023-0669.  

Vulnerable versions 

This vulnerability affects all Windows Operating Systems running MOVEit Transfer. 

This included the cloud version of the software, which Progress has now advised has been patched. 

For those that are running on-premises versions of the MOVEit Transfer software, vulnerable versions of the software include:  

• MOVEit Transfer 2023.0.0 (15.0)  
• MOVEit Transfer 2022.1.x (14.1)  
• MOVEit Transfer 2022.0.x (14.0)  
• MOVEit Transfer 2021.1.x (13.1)  
• MOVEit Transfer 2021.0.x (13.0)  
• MOVEit Transfer 2020.1.x (12.1)  
• MOVEit Transfer 2020.0.x (12.0) or older  

Mitigation actions

Triskele Labs recommends that MOVEit Transfer software is updated in line with the version being run. The following URL links to relevant upgrade documentation for the affected software:   

• https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023  

Additional mitigation actions that can be taken include:   

• Add firewall rules to deny traffic on ports 80 and 443 to the MOVEit transfer server.  
• This will prevent the use of the application.  
• SFTP and FTP protocols will continue to function.  

These mitigation strategies are not substitutes for patching the vulnerability. These should be implemented in the case that a patch cannot be immediately applied.     

Detection 

The Triskele Labs DefenceShield Security Operations Centre (SOC) monitors suspicious activity for Managed Detection and Response (MDR) clients. 

DefenceShield Monitor clients with Security Information and Event Management (SIEM) agents deployed to endpoints running MOVEit Transfer will detect exploitation of this vulnerability.  

Triskele Labs are performing ongoing scanning for DefenceShield Assess clients to detect vulnerable devices in client networks.  

For any questions, please contact the DefenceShield Security Operations Centre or Triskele Labs support.   

• support@triskelelabs.com  
• defenceshield@triskelelabs.com