MOVEit just a little more

Share This Post

In the wake of CVE-2023-34362 released on 5/31/2023 alerting that the MOVEit Transfer and MOVEit Cloud products contained vulnerabilities that could allow Remote Code Execution and unauthorized access to their customer environment, Progress announced an additional CVE, CVE-2023-35036, for those same products. After CVE-2023-34362, Progress contracted Huntress to perform a third-party code review to look for any other vulnerabilities in the MOVEit products. During their code review, Huntress identified multiple additional critical vulnerabilities allowing SQL injection into all versions of MOVEit Transfer. An attacker could submit a crafted SQL payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content. Progress has released patches and remediation instructions for the newly discovered vulnerabilities in their MOVEit products.

If you are a MOVEit Transfer customer and have not yet applied the May 2023 patches use the following link for remediation and patching instructions. This link includes instructions for remediating and patching both the May 31st and June 9th vulnerabilities: https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023

If you are MOVEit Transfer customer who has already applied the May 2023 patch and followed the remediation steps use this link for instructions to apply the June 9th patch: https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-CVE-Pending-Reserve-Status-June-9-2023

As always, if you believe you may have been impacted by this vulnerability it is important to investigate your environment to search for evidence of a compromise.

National Vulnerability Database info for CVE-2023-35036: https://nvd.nist.gov/vuln/detail/CVE-2023-35036

Huntress’s Rapid Response post for both CVE’s: https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response



Reach out to our incident response team for help

More To Explore

Information Security News – 10/20/2025

Arup’s $25M Deepfake Loss: Anatomy of an AI-Powered Scam Article Link: https://www.adaptivesecurity.com/blog/arup-deepfake-scam-attack U.S. Warns That Hackers Using F5 Devices to Target Government Networks Article Link:

Information Security News – 10/6/2025

Oracle Rushes Patch for CVE-2025-61882 After Cl0p Exploited It in Data Theft Attacks Article Link: https://thehackernews.com/2025/10/oracle-rushes-patch-for-cve-2025-61882.html Nursery Hackers Threaten to Publish More Children’s Profiles Online

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.