Overview
Assura’s Security Operations Center is seeing active exploitation of a SQL Injection flaw in Progress Software’s MOVEit Transfer product first announced on May 31, 2023. The vulnerability is CVE-2023-34362.
Technical Analysis
A full technical analysis has been done by our friends at Huntress, who have been on the forefront of analyzing exploitation of the vulnerability by at least one threat actor: https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response.
Affected versions, fixed versions, and documentation to execute an upgrade to the patched versions are:
Affected Version | Fixed Version | Documentation |
MOVEit Transfer 2023.0.0 (15.0.0) | MOVEit Transfer 2023.0.1 | MOVEit 2023 Upgrade Documentation |
MOVEit Transfer 2022.1.x (14.1.x) | MOVEit Transfer 2022.1.5 | MOVEit 2022 Upgrade Documentation |
MOVEit Transfer 2022.0.x (14.0.x) | MOVEit Transfer 2022.0.4 | |
MOVEit Transfer 2021.1.x (13.1.x) | MOVEit Transfer 2021.1.4 | MOVEit 2021 Upgrade Documentation |
MOVEit Transfer 2021.0.x (13.0.x) | MOVEit Transfer 2021.0.6 | |
MOVEit Transfer 2020.1.x (12.1.x) | Special Patch Available | See KB 000234559 |
Assura’s Take
There are two courses of action to take for this: PATCH NOW and hunt for signs of compromise. Organizations should search their MOVEit Transfer server(s) for the Indicators of Compromise (IOCs) listed in the Progress Software article about the vulnerability as well as the analysis published by Huntress (see the References section below).
The Assura SOC is actively monitoring for exploitation of this vulnerability and assisting clients with investigations. If you are an Assura Managed SIEM client and have any questions about this, please contact your Concierge.
References:
Progress Software Article About this Vulnerability – https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023