CVE-2023-34362: Progress MOVEit Transfer SQL Injection Vulnerability

Updates:

  • June 13th, 2023: Added CVE identification with templated rule CVE-2023-34362

  • June 13th, 2023: Added new timeline details

What you need to know:

  • On May 31, 2023, Progress released a security advisory about a critical vulnerability that could lead to unauthorized access in MOVEit Transfer. 

  • Based on publicly available information, exploitation of the SQL injection vulnerability (CVE-2023-34362) began on May 27, 2023. MOVEit Transfer web applications accessible over the internet were compromised, and a web shell was dropped to facilitate the exfiltration of data.

  • There are patches available for CVE-2023-34362.

  • Fastly Next-Gen WAF (NGWAF) customers can protect themselves from this vulnerability by enabling the templated rule CVE-2023-34362

Progress MOVEit Transfer is a managed file transfer (MFT) solution. It is a software platform designed to facilitate the transfer of files between individuals and organizations. A SQL injection vulnerability was discovered in all versions of MOVEit Transfer’s on-premises solution. The vulnerability enables an unauthenticated attacker to gain access to MOVEit’s database. Unpatched systems are susceptible to exploitation over HTTP or HTTPS. According to GreyNoise, scanning activity to discover internet-accessible MOVEit installations started as early as March 3rd, 2023. The first publicly reported exploitation of this vulnerability started in May of 2023.   

Timeline:

  • April 27th, 2022 - Kroll observed activity consistent with MOVEit Transfer exploitation.

  • March 3rd, 2023 - Earliest scanning activity to discover internet-accessible MOVEit installations, reported by GreyNoise.

  • May 9, 2023 - Earliest SQL injection attempts on MOVEit Transfer endpoints, observed by Fastly.

  • May 27th, 2023 - First publicly reported exploitation of the vulnerability, reported by Rapid7. 

  • May 31st, 2023 - Progress released a security advisory.

  • June 2nd, 2023 - CVE-2023-34362 assigned. 

  • June 5th, 2023 - CL0P Ransomware Gang, also known as TA505, claims responsibility for MOVEit extortion attacks, reported by BleepingComputer. 

  • June 12th, 2023 - Technical analysis and PoC (Proof of Concept) released by Rapid7.

What’s the impact: Attackers exploiting this vulnerability may be able to extract information regarding the database structure and content, execute SQL statements to modify or delete elements within the underlying database. Additionally, after recreating the exploit, Huntress has found that it enables arbitrary code execution. Reports indicate exfiltrated data is being used for ransom.

Digging deeper: Fastly observed SQL injection attempts on MOVEit Transfer endpoints as early as May 9, 2023. In addition, scanning activity picked up substantially after the announcement of CVE-2023-34362 for both SQL injection as well as looking for evidence of the human2.aspx web shell. Microsoft Threat Intelligence has attributed exploitation activity to the Clop ransomware group, which was later confirmed by BleepingComputer, after the group claimed responsibility for the MOVEit Transfer attacks. 

What you should do: If your organization is running MOVEit Transfer, you should follow the instructions given in the Progress security advisory. Additionally, you should search for indicators of compromise beyond the initially suggested 30-day window due to reports of active exploitation beyond that time-frame. If you have an NGWAF site configuration specifically for MOVEit Transfer, we encourage you to enable the templated rule for CVE-2023-34362 immediately and configure it to blocking mode.

Further reading

Fastly Security Research Team
Fastly Security Research Team
Simran Khalsa
Staff Security Researcher
Matthew Mathur
Senior Security Researcher
Arun Kumar
Senior Security Researcher
Xavier Stevens
Staff Security Researcher
Published

3 min read

Want to continue the conversation?
Schedule time with an expert
Share this post
Fastly Security Research Team
Fastly Security Research Team

The Fastly Security Research Team focuses on ensuring our customers have the tools and data available to them to keep their systems secure. They analyze and ultimately help prevent attacks at Fastly scale. The team is a group of behind-the-scenes security experts who are here to help you stay on the cutting edge of the ever-evolving security landscape.

Simran Khalsa
Staff Security Researcher

Simran is a Staff Security Researcher at Fastly where he focuses on threat intelligence, vulnerability research, and product innovation. He enjoys researching novel attack techniques and fortifying technology to prevent real-world web attacks. He has spent his career on both the offensive and defensive sides of the industry in both public and private sectors with an emphasis on building modern security solutions.

Matthew Mathur
Senior Security Researcher

Matthew is a Senior Security Researcher at Fastly, focusing on vulnerability research, web application attacks, and developing protections. Matthew is an active contributor to several open source security tools including the Metasploit Framework and Nuclei, and is passionate about sharing research with the security community.

Arun Kumar
Senior Security Researcher

Arun Kumar is a Senior Security Researcher at Fastly, with a focus on bot management & anti-fraud products.

Xavier Stevens
Staff Security Researcher

Xavier Stevens is a Staff Security Researcher at Fastly, with a focus on threat research, detection engineering, and product innovation.

Ready to get started?

Get in touch or create an account.