CISA adds Progress MOVEit Transfer zero-day to its Known Exploited Vulnerabilities catalog

US
CISA
added
actively
exploited
Progress
MOVEit
Transfer
zero-day
vulnerability
to
its
Known
Exploited
Vulnerabilities
catalog.

US
Cybersecurity
and
Infrastructure
Security
Agency
(CISA)
added
a
Progress

MOVEit
Transfer
SQL
injection
vulnerability,
tracked
as

CVE-2023-34362,
to
its Known
Exploited
Vulnerabilities
Catalog.

Threat
actors
are
actively
exploiting
a
zero-day
vulnerability
in
the
Progress
MOVEit
Transfer
file
transfer
product
to
steal
data
from
organizations.

MOVEit
Transfer
is
a
managed
file
transfer
that
is
used
by
enterprises
to
securely
transfer
files
using
SFTP,
SCP,
and
HTTP-based
uploads

The
vulnerability
is
a
SQL
injection
vulnerability,
it
an
be
exploited
by
an
unauthenticated
attacker
to
gain
unauthorized
access
to
MOVEit
Transfer’s
database.

“a
SQL
injection
vulnerability
has
been
found
in
the
MOVEit
Transfer
web
application
that
could
allow
an
un-authenticated
attacker
to
gain
unauthorized
access
to
MOVEit
Transfer’s
database.”
reads
the advisory published
by
the
company.
“Depending
on
the
database
engine
being
used
(MySQL,
Microsoft
SQL
Server,
or
Azure
SQL),
an
attacker
may
be
able
to
infer
information
about
the
structure
and
contents
of
the
database
in
addition
to
executing
SQL
statements
that
alter
or
delete
database
elements.”

The
vulnerability
affects
all MOVEit Transfer
versions,
it
doesn’t
affect
the
cloud
version
of
the
product.
The
company
also
shared
Indicators
of
Compromise
(IoCs)
for
this
attack
and
urges
customers
that
notice
any
of
the
indicators
to
immediately contact its
security
and
IT
teams.

Multiple
security
firms
are warning that
the
vulnerability
has
been
actively
exploited
in
the
wild.

GreyNoise
researchers
have
observed scanning
activity for
the
login
page
of
MOVEit
Transfer
located
at
/human.aspx
as
early
as
March
3rd,
2023,
for
this
reason,
the
experts
recommend
Progress
customers
to
review
potentially
malicious
activity
that
was
recorded
in
the
last
90
days.

By
May
31,
Rapid7
experts
discovered approximately
2,500
instances of
MOVEit
Transfer
publicly
accessible
on
the
internet,
with
a
significant
portion
located
in
the
United
States.

According
to Binding
Operational
Directive
(BOD)
22-01:
Reducing
the
Significant
Risk
of
Known
Exploited
Vulnerabilities,
FCEB
agencies
have
to
address
the
identified
vulnerabilities
by
the
due
date
to
protect
their
networks
against
attacks
exploiting
the
flaws
in
the
catalog.

Experts
recommend
also
private
organizations
review
the Catalog and
address
the
vulnerabilities
in
their
infrastructure.

CISA
orders
federal
agencies
to
fix
this
flaw
by June
23,
2023.

Follow
me
on
Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

Share
On

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts