On 9 June 2023, Progress released a security advisory detailing newly discovered SQL injection vulnerabilities impacting the MOVEit Transfer web application and Cloud. The vulnerabilities are distinct from CVE-2023-34362, which was actively exploited by Clop Ransomware to exfiltrate data and extort compromised organisations. Although distinct, the vulnerabilities result in nearly identical unauthorised access where threat actors could modify or disclose MOVEit database content. ?
All MOVEit Transfer versions are impacted by these vulnerabilities, including End-of-Life (EOL) versions under MOVEit Transfer (DMZ). ?
NOTE: MOVEit Cloud is also impacted by these vulnerabilities; however, Progress has tested and deployed a patch to all MOVEit Cloud clusters to remediate them. ?
For additional information surrounding CVE-2023-34362 and Arctic Wolf actions surrounding the vulnerability, refer to the Security Bulletins:?
Recommendations?
If your organisation has not applied security patches for CVE-2023-34362, we strongly recommend following the remediation guidance provided in the MOVEit Transfer Critical Vulnerability (May 2023) article here: ?
If up to date, apply the patches outlined in the table below to remediate the newly discovered vulnerabilities. ?
Recommendation: Apply the Latest Security Patches Released by Progress?
Progress has provided two methods to remediate the newly discovered vulnerabilities to minimise disruptions to operational environments. ?
Applying the DLL drop-in could reduce operational interruptions to the application during an upgrade compared to a full installer. ?
NOTE: To apply the DLL drop-in, your organisation must have the required listed version installed first.?
| DLL Drop-in? | ||
| Affected Version? | Fixed Version? | Documentation? |
| MOVEit Transfer 2023.0.1 ? | ? | See the README.txt file in the *.zip file?? |
| MOVEit Transfer 2022.1.5? | ?? | See the README.txt file in the *.zip file?? |
| MOVEit Transfer 2022.0.4? | ?? | |
| MOVEit Transfer 2021.14? | ?? | See the README.txt file in the *.zip file?? |
| MOVEit Transfer 2021.0.6? | ?? | |
| MOVEit Transfer 2020.1.6 or later? | ?? | See the README.txt file in the *.zip file?? |
| MOVEit Transfer 2020.0.x or older? | MUST upgrade to a supported version? | ?? |
??
| Full Installer? | ||
| Affected Version? | Fixed Version? | Documentation? |
| MOVEit Transfer 2023.0.x? | ?? | ?? |
| MOVEit Transfer 2022.1.x? | ?? | ? |
| MOVEit Transfer 2022.0.x? | ?? | |
| MOVEit Transfer 2021.1.x? | ?? | ?? |
| MOVEit Transfer 2021.0.x? | ?? | |
| MOVEit Transfer 2020.1.x? | Special Patch Available? | See KB?? |
| MOVEit Transfer 2020.0.x or older? | MUST upgrade to a supported version?? | ?? |
| MOVEit Cloud? |
Prod: 14.1.6.97 or 14.0.5.45?? Test: 15.0.2.39?? |
All MOVEit Cloud systems are fully patched at this time.?? ?? |
Please follow your organisation’s patching and testing guidelines to avoid any operational impact.?
