In the wake of CVE-2023-34362 released on 5/31/2023 alerting that the MOVEit Transfer and MOVEit Cloud products contained vulnerabilities that could allow Remote Code Execution and unauthorized access to their customer environment, Progress announced an additional CVE, CVE-2023-35036, for those same products. After CVE-2023-34362, Progress contracted Huntress to perform a third-party code review to look for any other vulnerabilities in the MOVEit products. During their code review, Huntress identified multiple additional critical vulnerabilities allowing SQL injection into all versions of MOVEit Transfer. An attacker could submit a crafted SQL payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content. Progress has released patches and remediation instructions for the newly discovered vulnerabilities in their MOVEit products.
If you are a MOVEit Transfer customer and have not yet applied the May 2023 patches use the following link for remediation and patching instructions. This link includes instructions for remediating and patching both the May 31st and June 9th vulnerabilities: https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
If you are MOVEit Transfer customer who has already applied the May 2023 patch and followed the remediation steps use this link for instructions to apply the June 9th patch: https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-CVE-Pending-Reserve-Status-June-9-2023
As always, if you believe you may have been impacted by this vulnerability it is important to investigate your environment to search for evidence of a compromise.
National Vulnerability Database info for CVE-2023-35036: https://nvd.nist.gov/vuln/detail/CVE-2023-35036
Huntress’s Rapid Response post for both CVE’s: https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response
