Unveiling CVE-2023-34362: The MoveIt Transfer Zero-Day Exploit

With our relentless commitment to the world of cybersecurity, our researchers have recently come across an SQL injection vulnerability in the MOVEit Transfer web application – CVE-2023-34362. This critical vulnerability could be exploited by an unauthenticated, remote attacker via a specially designed request. The successful execution of this exploit could give an attacker direct access to the underlying MOVEit Transfer instance.

What Does This Mean for Your Data?

If the attacker manages to exploit this vulnerability, they can gain insights about the structure and contents of the database, depending on the database engine in use (MySQL, Microsoft SQL Server, or Azure SQL). Progress Software, which has confirmed the vulnerability, even had to bring down MOVEit Cloud to protect customer data.

An Active Zero-Day Exploit

Although not labeled as a zero-day by Progress Software, reports suggest that this flaw has been exploited in the wild for mass downloading of data from organizations. With over 2,500 MOVEit Transfer potentially vulnerable instances found publicly accessible, the threat is real and immediate.

An Alarming Trend in 2023

CVE-2023-34362 isn’t the first of its kind. Earlier this year, we witnessed a pre-authentication command injection zero-day vulnerability in the GoAnywhere MFT solution. In fact, file transfer applications have become a target for data theft and extortion, and the compromise of these solutions has a snowball-like effect.

What Should MOVEit Transfer Customers Do?

If you’re a MOVEit Transfer customer, the first assumption should be a compromise. You should promptly initiate an incident response.

System administrators should check for a human2.aspx file in the wwwroot folder and review log files for unexpected downloads/uploads from unknown IP addresses. Web server logs should also be reviewed for GET requests to a human2.aspx file, and any entries with large data sizes, which could indicate unexpected file downloads. If your instance is hosted on Azure, make sure to review your Azure log files for unauthorized access to Azure Blob Storage keys.

To swiftly prevent the exploitation of the identified SQL injection vulnerability within your MOVEit Transfer environment, we strongly advise implementing the following remediation steps without delay. These steps are designed to provide maximum protection until a patch can be applied.

1. Disable HTTP and HTTPs Traffic

Modify firewall rules to deny HTTP and HTTPs traffic to your MOVEit Transfer environment on ports 80 and 443. This temporary measure is crucial to safeguard your system until the necessary patch is applied.

Please note the consequences of disabling HTTP and HTTPs traffic:

  • Users will be unable to log into the MOVEit Transfer web UI
  • MOVEit Automation tasks that utilize the native MOVEit Transfer host will be disrupted
  • REST, Java, and .NET APIs will cease to function
  • The MOVEit Transfer add-in for Outlook will be temporarily disabled

However, SFTP and FTP/s protocols will continue to operate as normal. Moreover, administrators can still access MOVEit Transfer remotely by using a desktop to access the Windows machine and then connecting to https://localhost/. Please refer to MOVEit Transfer Help for more information on localhost connections.

2. Review, Delete, and Reset

Remove Unauthorized Files and User Accounts

In the interest of ensuring system integrity, identify and delete any instances of the human2.aspx file (or any files with a human2 prefix) and .cmdline script files.

In your MOVEit Transfer server, scrutinize for newly created files in the C:\MOVEitTransfer\wwwroot\ directory and the C:\Windows\TEMP[random]\ directory with a file extension of [.cmdline]. Also, review for new APP_WEB_[random].dll files in the C:\Windows\Microsoft.NET\Framework64[version]\Temporary ASP.NET Files\root[random][random]\ directory.

Stop IIS (using ‘iisreset /stop’), delete all APP_WEB_[random].dll files, and then restart IIS (using ‘iisreset /start’). Be aware that the web application will properly rebuild these files upon next access. Lastly, remove any unauthorized user accounts, referring to the Progress MOVEit Users Documentation as needed.

Reset Service Account Credentials

It’s also vital to reset service account credentials for affected systems and the MOVEit Service Account. Refer to KB 000115941 for guidance on this.

3. Patch Application

Immediately apply the available patches for all supported MOVEit Transfer versions, which can be found below. The license file can remain the same to apply the patch. For information on supported versions, visit: https://community.progress.com/s/products/moveit/product-lifecycle.

Affected Version Fixed Version Documentation
MOVEit Transfer 2023.0.0 (15.0) MOVEit Transfer 2023.0.1 MOVEit 2023 Upgrade Documentation
MOVEit Transfer 2022.1.x (14.1) MOVEit Transfer 2022.1.5 MOVEit 2022 Upgrade Documentation
MOVEit Transfer 2022.0.x (14.0) MOVEit Transfer 2022.0.4
MOVEit Transfer 2021.1.x (13.1) MOVEit Transfer 2021.1.4 MOVEit 2021 Upgrade Documentation
MOVEit Transfer 2021.0.x (13.0) MOVEit Transfer 2021.0.6
MOVEit Transfer 2020.1.x (12.1) Special Patch Available See KB 000234559
MOVEit Transfer 2020.0.x (12.0) or older MUST upgrade to a supported version See MOVEit Transfer Upgrade and Migration Guide
MOVEit Cloud Prod: or
All MOVEit Cloud systems are fully patched at this time.
Cloud Status Page

4. Verification

Repeat step 2A to confirm the successful deletion of the identified files and to ensure no unauthorized accounts remain. If indicators of compromise are found, the service account credentials should be reset again.

5. Re-enable HTTP and HTTPs Traffic

Once the necessary remediation steps have been completed, enable all HTTP and HTTPs traffic to your MOVEit Transfer environment.

6. Continuous Monitoring

Lastly, monitor your network, endpoints, and logs for Indicators of Compromise (IoCs) to maintain the security of your environment.

Act Now to Secure Your Data

At Perdition Security, we strongly advise that all system administrators take immediate action to safeguard their systems from this vulnerability. Your best defense is to review your systems for Indicators of Compromise (IOCs) dating back to at least 90 days before the public disclosure of this flaw.

Our team of seasoned cybersecurity experts is ready to assist you in securing your systems from this zero-day vulnerability. We offer comprehensive vulnerability assessments and other cybersecurity services designed to help you protect your digital assets.

Don’t wait for a breach to occur. Take action today to protect your data from this critical vulnerability. Contact Perdition Security for expert guidance and robust cybersecurity solutions.

Remember, security is not a product, but a process