A critical security threat has been discovered in the MOVEit Transfer file transfer software that would enable attackers to steal data from organizations.
The zero-day vulnerability, which was uncovered by Progress last week, is an SQL injection weakness found in the managed file transfer (MFT) product.
This flaw (CVE-2023-34362) can grant escalated privileges and unauthorized access.
“An attacker may be able to infer information about the structure and contents of a MOVEit Transfer database, or even alter or delete database elements,” explained Zane Bond, head of product at Keeper Security.
Progress, in its original advisory, did not mention any instances of exploitation. However, according to a more recent blog post by Rapid7 (and the updated Progress one), active exploitation of the vulnerability is now being seen.
“We have observed an uptick in related cases since the vulnerability was disclosed publicly on May 31, 2023; Rapid7 intelligence indicates that the threat actors leveraging [it] have exploited a wide range of organizations, particularly in North America,” reads the blog post.
As of May 31, there were approximately 2500 publicly accessible instances of MOVEit Transfer, according to the company.
The vulnerability affects all MOVEit Transfer versions released before May 31 2023. It is crucial to apply the available fixes and patches released by MOVEit promptly, warned Rapid7.
Additionally, users of MOVEit Transfer with Microsoft Azure integration should take immediate action to rotate their Azure storage keys.
“The MOVEit Transfer case bears a striking resemblance to a slew of SQLi attacks happening on file storage and transfer systems, the latest being QNAP devices and a high-profile attack by Clop on Fortra’s GoAnywhere file transfer software,” commented Craig Jones, vice president of security operations at Ontinue.
The security expert added that, from an application security standpoint, the vulnerability found in MOVEit Transfer serves as a reminder of the criticality of thorough input validation, robust access control and secure coding practices in safeguarding against such exploits.
Commenting on the flaw, a MOVEit spokesperson told Infosecurity that its customers have been, and will always be, the company's top priority.
"When we discovered the vulnerability, we promptly launched an investigation, alerted MOVEit customers about the issue and provided immediate mitigation steps. We disabled web access to MOVEit Cloud to protect our Cloud customers, developed a security patch to address the vulnerability, made it available to our MOVEit Transfer customers, and patched and re-enabled MOVEit Cloud, all within 48 hours. We have also implemented a series of third-party validations to ensure the patch has corrected the exploit," the spokesperson added.
Further, they confirmed MOVEit is continuing to work with industry-leading cybersecurity experts to investigate the issue and ensure all appropriate response measures.
"We have engaged with federal law enforcement and other agencies with respect to the vulnerability. We are also committed to playing a leading and collaborative role in the industry-wide effort to combat increasingly sophisticated and persistent cyber-criminals intent on maliciously exploiting vulnerabilities in widely used software products. Additional details are available on our knowledge base articles for MOVEit Transfer and MOVEit Cloud.”
This article was updated on June 6th to include MOVEit's comment.