CVE-2023-35036
📋 TL;DR
CVE-2023-35036 is a critical SQL injection vulnerability in Progress MOVEit Transfer that allows unauthenticated attackers to execute arbitrary SQL commands against the database. This can lead to data theft, modification, or complete database compromise. All organizations running affected versions of MOVEit Transfer are at risk.
💻 Affected Systems
- Progress MOVEit Transfer
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data exfiltration, data destruction, privilege escalation, and potential lateral movement to other systems.
Likely Case
Unauthorized access to sensitive data stored in MOVEit Transfer database, including files, user credentials, and configuration information.
If Mitigated
Limited impact due to network segmentation, WAF protection, and minimal database privileges, though risk remains significant.
🎯 Exploit Status
This vulnerability was actively exploited in the wild during the MOVEit Transfer attacks of 2023. Exploitation requires no authentication and has low technical complexity.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), or 2023.0.2 (15.0.2) depending on your version
Vendor Advisory: https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-CVE-2023-35036-June-9-2023
Restart Required: Yes
Instructions:
1. Identify your current MOVEit Transfer version. 2. Download the appropriate patch from Progress Software support portal. 3. Apply the patch following Progress installation instructions. 4. Restart the MOVEit Transfer service. 5. Verify the patch was successfully applied.
🔧 Temporary Workarounds
Network Segmentation and Access Control
allRestrict network access to MOVEit Transfer to only trusted IP addresses and implement strict firewall rules.
Web Application Firewall (WAF)
allDeploy a WAF with SQL injection protection rules to block malicious payloads.
🧯 If You Can't Patch
- Immediately isolate the MOVEit Transfer server from the internet and restrict internal network access
- Implement database monitoring and alerting for suspicious SQL queries and access patterns
🔍 How to Verify
Check if Vulnerable:
Check MOVEit Transfer version via the web interface (Admin > About) or by examining installation files. Compare against affected version ranges.Check Version:
Check via web interface at https://[your-moveit-server]/Admin/About or examine the MOVEit installation directory for version files.Verify Fix Applied:
Verify version number matches patched versions: 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), or 2023.0.2 (15.0.2).📡 Detection & Monitoring
Log Indicators:
- Unusual SQL query patterns in database logs
- Multiple failed login attempts followed by successful access
- Unexpected database schema modifications
- Suspicious user agent strings in web server logs
Network Indicators:
- Unusual outbound database connections from MOVEit server
- SQL injection patterns in HTTP requests to MOVEit endpoints
- Traffic to known malicious IP addresses from MOVEit server
SIEM Query:
source="moveit_logs" AND ("sql injection" OR "malformed query" OR "unusual database access") OR source="web_logs" AND (uri="*sql*" OR user_agent="*sqlmap*")