CVE-2023-34362: MOVEit Transfer SQL Injection Vulnerability Actively Exploited in the Wild

Share :

On 30 May 2023, Progress released a security advisory warning customers of a critical zero-day vulnerability being actively exploited in MOVEit Transfer, a managed file transfer (MFT) solution. The exploitation of this vulnerability could lead to escalated privileges and potential unauthorised access to an environment, allowing threat actors to steal data and extort organisations. This vulnerability is being tracked as CVE-2023-34362 and affects all versions of MOVEit Transfer products, including EOL versions. Patches have been released by Progress in their advisory here. 

Arctic Wolf has observed this vulnerability being actively exploited in the wild in campaigns where Webshells are being loaded onto victim systems. The Webshells we observed were all named human2.aspx. Each Webshell we observed had a unique hash since the threat actors configured a unique password on each for access. Webshells provide threat actors with the capability to execute commands remotely on target systems and provide a persistence mechanism. 

Arctic Wolf has not attributed this campaign to a specific threat actor; however, we have observed similar types of vulnerabilities in file transfer products like GoAnywhere MFT being exploited in the past by ransomware actors to exfiltrate sensitive data and extort victims for a ransom payment under the threat of leaking their data. 

We continue to deploy detections in the Arctic Wolf platform to cover TTPs and IOCs observed in this campaign. 

Recommendations For CVE-2023-34362

Please follow your organisation’s patching and testing guidelines to avoid any operational impact. 

Recommendation #1: Apply Patches from Progress 

Patches for all supported MOVEit Transfer versions are available below. Supported versions are listed.

We strongly recommend that customers running EOL versions of MOVEit Transfer migrate to a supported version as there is no patch available for EOL versions. 

Affected Version  Fixed Version  Documentation 
MOVEit Transfer 2023.0.0  MOVEit Transfer 2023.0.1  MOVEit 2023 Upgrade Documentation 
MOVEit Transfer 2022.1.x  MOVEit Transfer 2022.1.5  MOVEit 2022 Upgrade Documentation 
MOVEit Transfer 2022.0.x  MOVEit Transfer 2022.0.4 
MOVEit Transfer 2021.1.x  MOVEit Transfer 2021.1.4  MOVEit 2021 Upgrade Documentation 
MOVEit Transfer 2021.0.x  MOVEit Transfer 2021.0.6 

Recommendation #2: Prevent Unauthorised Access 

If you are unable to apply the patches provided by the vendor, Progress recommends that you apply the following mitigation measures to help prevent unauthorised access to your MOVEit Transfer environment. 

As a workaround, administrators will still be able to access MOVEit Transfer by using a remote desktop to access the Windows machine and then accessing https://localhost/.  For more information on localhost connections, please refer to MOVEit Transfer Help: Progress Documentation    

Step 1: Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment.  

More specifically:  

  • Modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443.  
      • It is important to note, that until HTTP and HTTPS traffic is enabled again:  
      • Users will not be able to log on to the MOVEit Transfer web UI   
      • MOVEit Automation tasks that use the native MOVEit Transfer host will not work  
      • REST, Java and .NET APIs will not work  
      • MOVEit Transfer add-in for Outlook will not work  
      • Please note: SFTP and FTP/s protocols will continue to work as normal  


Picture of James Liolios

James Liolios

James Liolios is a Senior Threat Intelligence Researcher at Arctic Wolf, where he keeps a watchful eye on the latest threats and threat actors to understand the potential impact to Arctic Wolf customers. He has a background of 9 years' experience in many areas of cybersecurity, holds a bachelor's degree in Information Security, and is also CISSP certified.
Share :
Table of Contents