On July 5th, 2023, Progress Software released a security advisory for a new critical SQL injection vulnerability, CVE-2023-36934, among two other high severity vulnerabilities impacting the MOVEit Transfer web application. These vulnerabilities were responsibly disclosed to Progress Software by researchers at HackerOne and Trend Micro’s Zero Day Initiative.
CVE-2023-36934 is separate from another recently reported MOVEit vulnerability, CVE-2023-34362, which was actively exploited by the CL0P Ransomware group to exfiltrate data and extort compromised organizations over the past month. Similar to CVE-2023-34362, this new vulnerability also provides unauthorized access, potentially allowing threat actors to access sensitive data within the MOVEit Transfer database.
In contrast to CVE-2923-36934, there are no known instances of exploitation in the wild at this time, and no public proof-of-concept exploits are available. However, it is expected that threat actors will work to develop such exploits in the coming weeks and months. Arctic Wolf highly recommends that you are running MOVEit Transfer apply the patches as soon as possible.
For additional information surrounding prior MOVEit Transfer vulnerabilities and Arctic Wolf actions surrounding the vulnerability, refer to prior Security Bulletins:
- CVE-2023-34362: MOVEit Transfer SQL Injection Vulnerability Actively Exploited in the Wild
- New Vulnerabilities Similar to CVE-2023-34362 Identified in MOVEit Transfer and MOVEit Cloud
Recommendation
Recommendation: Apply the Latest Security Patches Released by Progress
Progress Software has provided updates for all major versions of MOVEit Transfer listed below. In addition to addressing CVE-2023-36934, these updates also address CVE-2023-36932 (a high severity post-authentication SQL injection vulnerability) and CVE-2023-36933 (a high severity Denial of Service vulnerability). If you are running version 2020.1.6, there are patched DLLs available as a drop-in patch.
|
Affected version |
Documentation |
Update download |
|
MOVEit Transfer 2023.0.x (15.0.x) |
||
|
MOVEit Transfer 2022.1.x (14.1.x) |
||
|
MOVEit Transfer 2022.0.x (14.0.x) |
||
|
MOVEit Transfer 2021.1.x (13.1.x) |
||
|
MOVEit Transfer 2021.0.x (13.0.x) |
||
|
MOVEit Transfer 2020.1.6 (12.1.6) or later |
Download the patch and see the readme.txt file in the zip file for instructions. |
|
|
MOVEit Transfer 2020.0.x (12.0.x) or older |
Must upgrade to a supported version. |
See Documentation column |
