This alert highlights a critical security issue identified in Managed File Transfer (MFT) software MOVEit Transfer for Windows owned by the vendor Progress1. This vulnerability is tracked with the following Common Vulnerabilities and Exposures (CVE) identifier: CVE-2023-34362.
This vulnerability awaits analysis to determine the Common Vulnerability Scoring System (CVSS) score. Based on what has been observed, this vulnerability will likely receive a critical score higher than 9. The vulnerability affected both on-prem and cloud versions MOVEit. Progress has reported that the cloud version of MOVEit Transfer has been patched and is no longer vulnerable.
This SQL injection vulnerability allows an unauthenticated, remote Threat Actor to access the MOVEit Transfer instance. Per Progress’ article, a Threat Actor “may be able to infer information about the structure and contents of the database.” This may provide a Threat Actor with the ability to exfiltrate data.
Huntress reported exploitation of this issue on 31 May 20232, and it was seen that a .aspx file named “human2.aspx” was dropped into the directory wwwroot.
This file has been observed to connect to the database and can either: delete the ‘Health Check Service’ user from the database, leak Azure information from response headers, or retrieve any file specified by an X-siLocked-Step2 header or X-siLocked-Step3 header. Security firm GreyNoise has observed scanning activity for the page “human.aspx” as early as 03 March 20233.
As of the time of writing this Security Bulletin, it is not known which Threat Actor group(s) are associated with exploiting this vulnerability.
This is the second Managed File Transfer (MFT) to have a critical vulnerability be discovered in 2023. The first was the GoAnywhere MFT software which is CVE-2023-0669.
This vulnerability affects all Windows Operating Systems running MOVEit Transfer.
This included the cloud version of the software, which Progress has now advised has been patched.
For those that are running on-premises versions of the MOVEit Transfer software, vulnerable versions of the software include:
MOVEit Transfer 2023.0.0 (15.0)
MOVEit Transfer 2022.1.x (14.1)
MOVEit Transfer 2022.0.x (14.0)
MOVEit Transfer 2021.1.x (13.1)
MOVEit Transfer 2021.0.x (13.0)
MOVEit Transfer 2020.1.x (12.1)
MOVEit Transfer 2020.0.x (12.0) or older
Triskele Labs recommends that MOVEit Transfer software is updated in line with the version being run. The following URL links to relevant upgrade documentation for the affected software: