CVE-2023-34362: MOVEIt Transfer Critical Zero-Day Vulnerability Exploited in the Wild

Discovery of a new zero-day vulnerability in MOVEit Transfer becomes the second zero-day disclosed in a managed file transfer solution in 2023, with reports suggesting that threat actors have stolen data from a number of organizations.

Background

On May 31, Progress Software Corporation (“Progress Software”), published an advisory for a “critical” vulnerability in MOVEit Transfer, a secure managed file transfer (MFT) software used by a variety of organizations. Following the publication of its advisory, reports have emerged that the flaw had been exploited in the wild as a zero-day.

Analysis

CVE-2023-34362 is a SQL injection vulnerability in the MOVEit Transfer web application. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to a vulnerable MOVEit Transfer instance. Successful exploitation would give an attacker access to the underlying MOVEit Transfer instance. Additionally, Progress Software notes that an attacker “may be able to infer information about the structure and contents of the database” depending upon the specific database engine in use (such as MySQL, Microsoft SQL Server, or Azure SQL).

In addition to the on-prem version of MOVEit Transfer, Progress Software confirmed in a statement to BleepingComputer that MOVEit cloud was also impacted, adding that it “took immediate action, including bringing down MOVEit Cloud, to ensure the safety of our customers, while we reviewed the severity of the situation.”

Critical MOVEit vulnerability has been exploited in the wild as a zero-day

While Progress Software has not explicitly referred to it as a zero-day, BleepingComputer reports that they have learned that “threat actors have been exploiting” the flaw as a zero-day to “perform mass downloading of data from organizations.” At the time this blog post was published, we are unaware of any specific threat actor that is responsible for the attacks.

At least 2,500 MOVEit Transfer potentially vulnerable instances publicly accessible

Based on a Shodan query from Shodan itself, there were 2,526 MOVEit Transfer potentially vulnerable instances publicly accessible as of June 2, 2023, with nearly three-quarters originating in the United States (73.4%) followed by the United Kingdom at 5% and Germany at 4.6%.

Image Source: Tenable, June 2023

Second MFT zero-day vulnerability discovered in 2023

The discovery of CVE-2023-34362 in MOVEit marks the second time in 2023 that a zero-day in an MFT solution has been exploited. In February, Fortra (formerly HelpSystems), disclosed a pre-authentication command injection zero-day vulnerability in its GoAnywhere MFT solution to customers as part of a technical bulletin as shared by journalist Brian Krebs. Identified as CVE-2023-0669, Fortra confirmed that GoAnywhere customers’ systems were accessed between January 28 and January 30 using the flaw as part of its summary investigation. The Clop ransomware group took credit for the attacks, claiming it had stolen data from “over 130 organizations.” Additionally, the BlackCat/ALPHV ransomware group was also observed exploiting CVE-2023-0669.

File transfer applications are a boon for data theft and extortion

Preceding the discovery of CVE-2023-0669, the Clop ransomware group was linked to a number of attacks stemming from four flaws in Accellion’s File Transfer Appliance (FTA), an end-of-life solution that was exploited in mid-to-late December 2020.