CVE-2023-35708
📋 TL;DR
This is a critical SQL injection vulnerability in Progress MOVEit Transfer that allows unauthenticated attackers to execute arbitrary SQL commands against the application's database. Attackers can modify and exfiltrate sensitive data stored in the MOVEit database. All organizations running vulnerable versions of MOVEit Transfer are affected.
💻 Affected Systems
- Progress MOVEit Transfer
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the MOVEit database including exfiltration of all stored files, credentials, and sensitive data, potentially leading to ransomware deployment or data destruction.
Likely Case
Data theft of sensitive files and credentials stored in MOVEit, potentially enabling lateral movement within the network.
If Mitigated
Limited impact if proper network segmentation, database permissions, and monitoring are in place, though data exposure risk remains.
🎯 Exploit Status
This vulnerability was actively exploited in the wild during the MOVEit Transfer attacks of June 2023. Multiple exploit tools are publicly available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2020.1.10 (12.1.10), 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), or 2023.0.3 (15.0.3)
Vendor Advisory: https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-15June2023
Restart Required: Yes
Instructions:
1. Download the appropriate patch from Progress Software's security advisory. 2. Stop the MOVEit Transfer service. 3. Apply the patch according to vendor instructions. 4. Restart the MOVEit Transfer service. 5. Verify the patch is applied successfully.
🔧 Temporary Workarounds
Network Isolation
allImmediately block all external access to MOVEit Transfer web interfaces while patching.
Use firewall rules to block inbound traffic to MOVEit Transfer ports (typically 80/443)
Web Application Firewall
allDeploy WAF rules to block SQL injection patterns targeting MOVEit endpoints.
Configure WAF to block patterns containing SQL keywords and special characters in MOVEit URLs
🧯 If You Can't Patch
- Immediately take MOVEit Transfer offline and isolate it from the network
- Implement strict network segmentation and monitor all traffic to/from the MOVEit server
🔍 How to Verify
Check if Vulnerable:
Check the MOVEit Transfer version in the admin interface or compare installed DLL versions against patched versions.Check Version:
Check MOVEit admin interface or examine file versions in the installation directoryVerify Fix Applied:
Verify the MOVEit Transfer version shows one of the patched versions and check that the vulnerable DLL has been updated.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL query patterns in database logs
- Multiple failed login attempts followed by successful access
- Unexpected database schema modifications
Network Indicators:
- Unusual outbound database connections from MOVEit server
- Large data transfers from MOVEit to external IPs
- SQL injection patterns in HTTP requests to MOVEit endpoints
SIEM Query:
source="moveit_logs" AND (sql OR injection OR "union select" OR "sleep(" OR benchmark)🔗 References
- https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-15June2023
- https://www.cisa.gov/news-events/alerts/2023/06/15/progress-software-releases-security-advisory-moveit-transfer-vulnerability
- https://www.progress.com/security/moveit-transfer-and-moveit-cloud-vulnerability
- https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-15June2023
- https://www.cisa.gov/news-events/alerts/2023/06/15/progress-software-releases-security-advisory-moveit-transfer-vulnerability
- https://www.progress.com/security/moveit-transfer-and-moveit-cloud-vulnerability
