On 9 June 2023, Progress released a security advisory detailing newly discovered SQL injection vulnerabilities impacting the MOVEit Transfer web application and Cloud. The vulnerabilities are distinct from CVE-2023-34362, which was actively exploited by Clop Ransomware to exfiltrate data and extort compromised organisations. Although distinct, the vulnerabilities result in nearly identical unauthorised access where threat actors could modify or disclose MOVEit database content.
All MOVEit Transfer versions are impacted by these vulnerabilities, including End-of-Life (EOL) versions under MOVEit Transfer (DMZ).
NOTE: MOVEit Cloud is also impacted by these vulnerabilities; however, Progress has tested and deployed a patch to all MOVEit Cloud clusters to remediate them.
For additional information surrounding CVE-2023-34362 and Arctic Wolf actions surrounding the vulnerability, refer to the Security Bulletins:
Recommendations
If your organisation has not applied security patches for CVE-2023-34362, we strongly recommend following the remediation guidance provided in the MOVEit Transfer Critical Vulnerability (May 2023) article here: https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
If up to date, apply the patches outlined in the table below to remediate the newly discovered vulnerabilities.
Recommendation: Apply the Latest Security Patches Released by Progress
Progress has provided two methods to remediate the newly discovered vulnerabilities to minimise disruptions to operational environments.
Applying the DLL drop-in could reduce operational interruptions to the application during an upgrade compared to a full installer.
NOTE: To apply the DLL drop-in, your organisation must have the required listed version installed first.
DLL Drop-in | ||
Affected Version | Fixed Version | Documentation |
MOVEit Transfer 2023.0.1 | MOVEit Transfer 2023.0.2 | See the README.txt file in the *.zip file |
MOVEit Transfer 2022.1.5 | MOVEit Transfer 2022.1.6 | See the README.txt file in the *.zip file |
MOVEit Transfer 2022.0.4 | MOVEit Transfer 2022.0.5 | |
MOVEit Transfer 2021.14 | MOVEit Transfer 2021.1.5 | See the README.txt file in the *.zip file |
MOVEit Transfer 2021.0.6 | MOVEit Transfer 2021.0.7 | |
MOVEit Transfer 2020.1.6 or later | MOVEit Transfer 2020.1.9 | See the README.txt file in the *.zip file |
MOVEit Transfer 2020.0.x or older | MUST upgrade to a supported version | See MOVEit Transfer Upgrade and Migration Guide |
Full Installer | ||
Affected Version | Fixed Version | Documentation |
MOVEit Transfer 2023.0.x | MOVEit Transfer 2023.0.2 | MOVEit 2023 Upgrade Documentation |
MOVEit Transfer 2022.1.x | MOVEit Transfer 2022.1.6 | MOVEit 2022 Upgrade Documentation |
MOVEit Transfer 2022.0.x | MOVEit Transfer 2022.0.5 | |
MOVEit Transfer 2021.1.x | MOVEit Transfer 2021.1.5 | MOVEit 2021 Upgrade Documentation |
MOVEit Transfer 2021.0.x | MOVEit Transfer 2021.0.7 | |
MOVEit Transfer 2020.1.x | Special Patch Available | See KB Vulnerability (May 2023) Fix for MOVEit Transfer 2020.1 (12.1) |
MOVEit Transfer 2020.0.x or older | MUST upgrade to a supported version | See MOVEit Transfer Upgrade and Migration Guide |
MOVEit Cloud |
Prod: 14.1.6.97 or 14.0.5.45 Test: 15.0.2.39 |
All MOVEit Cloud systems are fully patched at this time. |
Please follow your organisation’s patching and testing guidelines to avoid any operational impact.