MOVEit just a little more

Share This Post

In the wake of CVE-2023-34362 released on 5/31/2023 alerting that the MOVEit Transfer and MOVEit Cloud products contained vulnerabilities that could allow Remote Code Execution and unauthorized access to their customer environment, Progress announced an additional CVE, CVE-2023-35036, for those same products. After CVE-2023-34362, Progress contracted Huntress to perform a third-party code review to look for any other vulnerabilities in the MOVEit products. During their code review, Huntress identified multiple additional critical vulnerabilities allowing SQL injection into all versions of MOVEit Transfer. An attacker could submit a crafted SQL payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content. Progress has released patches and remediation instructions for the newly discovered vulnerabilities in their MOVEit products.

If you are a MOVEit Transfer customer and have not yet applied the May 2023 patches use the following link for remediation and patching instructions. This link includes instructions for remediating and patching both the May 31st and June 9th vulnerabilities: https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023

If you are MOVEit Transfer customer who has already applied the May 2023 patch and followed the remediation steps use this link for instructions to apply the June 9th patch: https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-CVE-Pending-Reserve-Status-June-9-2023

As always, if you believe you may have been impacted by this vulnerability it is important to investigate your environment to search for evidence of a compromise.

National Vulnerability Database info for CVE-2023-35036: https://nvd.nist.gov/vuln/detail/CVE-2023-35036

Huntress’s Rapid Response post for both CVE’s: https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response



Reach out to our incident response team for help

More To Explore

Information Security News 9-30-2024

NIST Drops Password Complexity, Mandatory Reset Rules Article Link: https://www.darkreading.com/identity-access-management-security/nist-drops-password-complexity-mandatory-reset-rules Hacker Plants False Memories in ChatGPT to Steal User Data in Perpetuity Article Link: https://arstechnica.com/security/2024/09/false-memories-planted-in-chatgpt-give-hacker-persistent-exfiltration-channel/

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.