The Progress Software Corporation released a security advisory of a vulnerability in internet-facing and on-premises instances of their MOVEit Transfer solution, which could lead to escalated privileges and potential unauthorized access to an environment. The vulnerability CVE-2023-34362 is actively being exploited.
Please notify infosec@yorku.ca immediately if you are using MOVEit.
Severity level:
CVSS Score: 9.8/ Critical
CVE Details:
CVE-2023-34362
The MOVEit Transfer vulnerability covers multiple flaws that an attacker can chain together to achieve RCE with elevated privileges. This vulnerability, upon successful exploitation, could allow an unauthenticated attacker to gain access to the MOVEit Transfer's database and allow them to infer information about the internals of the database and alter or delete their elements.
CVE-2023-35036
Patches for CVE-2023-35036 are meant to mitigate multiple parts of the successful exploit chain initially discovered to have been used during the exploitation of the first vulnerability, CVE-2023-34362.
CVE-2023-35708
A third vulnerability was identified where an unauthenticated remote attacker could exploit the latest release of MOVEit Transfer to steal or modify data by exploiting the SQL injection vulnerability.
Affected Versions:
All MOVEit Transfer versions are affected by this vulnerability.
Impact:
Attacker can gain unauthorized access to the MOVEit Transfer database.
Resolution:
Appy the patches available for the MOVEit Transfer Critical Vulnerability or follow the remediation steps.