• United States



Apurva Venkat
Special Correspondent

MOVEit Transfer vulnerability appears to be exploited widely

Jun 02, 20234 mins
VulnerabilitiesZero-day vulnerability

A SQL injection vulnerability has been found in the MOVEit Transfer web application, allowing an unauthenticated attacker to gain unauthorized access to MOVEit Transfer’s database.

A broken link in a digital chaing / weakness / vulnerability

Progress Software has discovered a vulnerability in its file transfer software MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment, the company said in a security advisory. 

“A SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer’s database,” the company said in the post, adding that depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements. 

MOVEit Transfer is designed to allow enterprises to transfer files between business partners and customers securely. 

“All MOVEit Transfer versions are affected by this vulnerability,” Progress said in the advisory. The company has made patches available for versions 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1). 

The vulnerability is yet to be assigned a CVE and CVS score. 

The vulnerability has been exploited

Several cybersecurity firms have reported that threat actors have likely already exploited the vulnerability. “Progress Software is advising MOVEit customers to check for indicators of unauthorized access over at least the past 30 days, which implies that attacker activity was detected before the vulnerability was disclosed,” Rapid7 said in a blog post.

As of May 31, there were roughly 2,500 instances of MOVEit Transfer exposed to the public internet, the majority of which look to be in the US, Rapid7 said in the blog. The firm has identified the same web shell name in multiple customer environments, which may indicate automated exploitation. 

The web shell code can first determine if an inbound request contains a header named X-siLock-Comment, and returns a 404 “Not Found” error if the header is not populated with a specific password-like value.

“As of June 1, 2023, all instances of Rapid7-observed MOVEit Transfer exploitation involve the presence of the file human2.aspx in the wwwroot folder of the MOVEit install directory (human.aspx is the native aspx file used by MOVEit for the web interface),” Rapid7 said in the blog. 

Users advised reviewing activity for the last 90 days

Cybersecurity firm GreyNoise has observed scanning activity for the login page of MOVEit Transfer located at /human.aspx as early as March 3rd, 2023.

“While we have not observed activity directly related to exploitation, all of the 5 IPs we have observed attempting to discover the location of MOVEit installations were marked as “Malicious” by GreyNoise for prior activities, the company said in a blog post, adding that based on the scanning activity observed, it is recommended that users of MOVEit Transfer should extend the time window for their review of potentially malicious activity to at least 90 days. 

Similarly, TrustedSec, also noted that the backdoors have been uploaded to public sites since May 28, 2023, “meaning the attackers likely took advantage of the Memorial Day holiday weekend to gain access to systems. There have also been reports of data exfiltration from affected victims,” TrustedSec said in a blog post.

Mitigation recommendations

Progress advises users to deny all HTTP (TCP/80) and HTTPS (TCP/443) traffic to the MOVEit environment. Note that this will block all access to the system, but SFTP/FTP,  which currently appears unaffected, will still work.

The company also advises isolating the servers by blocking inbound and outbound traffic and inspecting the environments for possible indicators of compromise, and if so, deleting them before applying the fixes.

“File transfer solutions have been popular targets for attackers, including ransomware groups, in recent years. We strongly recommend that MOVEit Transfer customers prioritize mitigation on an emergency basis,” Rapid7 said in the post. 

An alert urging users and organizations to follow the mitigation steps to secure against any malicious activity has also been issued by CISA.

Apurva Venkat
Special Correspondent

Apurva Venkat is principal correspondent for the India editions of CIO, CSO, and Computerworld. She has previously worked at ISMG, IDG India, Bangalore Mirror, and Business Standard, where she reported on developments in technology, businesses, startups, fintech, e-commerce, cybersecurity, civic news, and education.

More from this author