MOVEit Transfer CVE-2023-34362: Anatomy of a Critical SQL Injection and Real-World Exploitation

Introduction

In late May 2023, a wave of ransomware attacks swept through government agencies and enterprises worldwide, exploiting a previously unknown flaw in Progress Software’s MOVEit Transfer. The breach, orchestrated by the Clop ransomware group, led to the compromise of sensitive data from thousands of organizations and exposed systemic weaknesses in managed file transfer infrastructure. CVE-2023-34362, a critical SQL injection vulnerability (CVSS 9.8), was the linchpin of this campaign, enabling unauthenticated attackers to seize control of MOVEit Transfer databases, deploy persistent web shells, and launch extortion operations at scale.

About MOVEit Transfer and Progress Software:

MOVEit Transfer is a flagship managed file transfer (MFT) solution from Progress Software, widely adopted in sectors where secure data exchange is mission-critical. The platform is entrenched in government, healthcare, and financial services, with a significant share of U.S. federal agencies and Fortune 500 companies relying on its infrastructure. Progress Software, while a major player in secure file transfer, faced intense scrutiny in 2023 due to a series of critical vulnerabilities affecting its flagship product line.

Technical Information

CVE-2023-34362 is a SQL injection vulnerability affecting MOVEit Transfer versions prior to 2021.0.6, 2021.1.4, 2022.0.4, 2022.1.5, and 2023.0.1. The flaw resides in the web application’s HTTP/S request handlers, which insufficiently sanitized user-supplied input before constructing SQL queries. Attackers could exploit this by sending crafted requests—most notably to the /human.aspx endpoint—embedding malicious SQL statements that the backend database would execute (unit42.paloaltonetworks.com, blog.qualys.com).

The attack chain unfolded as follows:

1. Initial Access via SQL Injection: Unauthenticated attackers sent specially crafted HTTP or HTTPS requests to vulnerable MOVEit Transfer endpoints. The SQL injection allowed them to enumerate database schema, extract credentials, and escalate privileges.

2. Web Shell Deployment: With elevated access, attackers deployed a custom web shell known as LEMURLOOT (human2.aspx) to the wwwroot directory. This web shell enabled persistent access, command execution, and facilitated further data exfiltration (cisa.gov, blog.qualys.com).

3. Data Exfiltration and Extortion: Attackers used the web shell to steal sensitive files, database contents, and Azure storage keys. Exfiltrated data was leveraged for extortion, with victims threatened via the Clop leak site (sentinelone.com).

The vulnerability was effective against MOVEit Transfer deployments using MySQL, Microsoft SQL Server, or Azure SQL as the backend. Forensic investigations revealed that the attackers had mapped the database schema in advance, indicating extensive reconnaissance and pre-exploitation research (kroll.com).

Proof of Concept

The proof-of-concept (PoC) exploit for CVE-2023-34362, developed by Horizon3, demonstrates remote code execution on vulnerable MOVEit Transfer systems via SQL injection.

Exploit Overview:

1. SQL Injection to Obtain Sysadmin API Token: The exploit initiates by leveraging the SQL injection flaw to retrieve a sysadmin API access token from the MOVEit Transfer database.

2. Abuse of Deserialization for RCE: With the sysadmin API token, the attacker interacts with application API endpoints, targeting a deserialization function. By injecting a malicious payload into this process, arbitrary code execution is achieved on the server.

Technical Details:

• Identity Provider Endpoint: The PoC requires an Identity Provider (IDP) endpoint hosting RS256 certificates to forge arbitrary user tokens. By default, Horizon3’s AWS-hosted IDP endpoint is used.
• Payload Execution: The default PoC writes a file named message.txt to C:\Windows\Temp\ on the target system, demonstrating code execution.
• Alternative Payloads: Custom payloads can be generated using the ysoserial.net project.

Usage Example:

python CVE-2023-34362.py https://target-url

Disclaimer: The PoC is for educational and research purposes only. Unauthorized use is illegal and unethical.

PoC Source: https://github.com/horizon3ai/CVE-2023-34362

Patch Information

Progress Software has released patches for MOVEit Transfer to address CVE-2023-34362. Users should upgrade to one of the following fixed versions:

• 2021.0.6
• 2021.1.4
• 2022.0.4
• 2022.1.5
• 2023.0.1

For MOVEit Transfer 2020.1.x (12.1), a special patch is available. Users of MOVEit Transfer 2020.0.x (12.0) or older should upgrade to a supported version. If immediate upgrading is not possible, disable HTTP and HTTPS traffic to MOVEit Transfer by blocking ports 80 and 443 at the firewall. Note that SFTP and FTP protocols will remain functional. These mitigations are not substitutes for patching and should be temporary.

Patch Source: https://www.tenable.com/blog/cve-2023-34362-moveit-transfer-critical-zero-day-vulnerability-exploited-in-the-wild

Detection Methods

Detecting exploitation of CVE-2023-34362 requires vigilant monitoring for indicators of compromise (IoCs):

File Activity Monitoring:

• Watch the wwwroot directory for new files with extensions such as .aspx, .dll, .exe, .ps1, .vbs, .vbe, .bat, .cmd, .zip, .rar, and .7z.
• Be alert for files named _human2.aspx or human2.aspx in wwwroot, as these are associated with exploitation attempts.

Log Analysis:

• Enable and review database logs for unexpected SQL statements or errors suggesting SQL injection.
• Examine MOVEit Transfer logs for msg_post actions with unusual IP addresses or user agents.

Network Traffic Monitoring:

• Monitor for anomalous HTTP/HTTPS requests to MOVEit Transfer, especially those with unusual parameters or payloads.
• Watch for large outbound data transfers from the server to external IPs, which may indicate data exfiltration.

Endpoint Detection and Response (EDR):

• Use EDR tools to detect execution of unexpected processes or scripts on the MOVEit Transfer server.

Recommendations:

• Conduct regular audits of file systems, logs, and network traffic.
• Patch MOVEit Transfer to the latest version.
• Restrict server access and monitor for unauthorized attempts.

Detection Sources:

• detection.fyi
• attackerkb.com
• rapid7.com
• cisa.gov

Affected Systems and Versions

CVE-2023-34362 affects the following MOVEit Transfer versions:

• All versions before 2021.0.6 (13.0.6)
• All versions before 2021.1.4 (13.1.4)
• All versions before 2022.0.4 (14.0.4)
• All versions before 2022.1.5 (14.1.5)
• All versions before 2023.0.1 (15.0.1)
• All older, unsupported versions (including 2020.0.x, 2019.x, and earlier)

The vulnerability is present regardless of backend database configuration (MySQL, Microsoft SQL Server, or Azure SQL).

Vendor Security History

Progress Software experienced three critical SQL injection vulnerabilities in MOVEit Transfer within a single month in 2023: CVE-2023-34362, CVE-2023-35036, and CVE-2023-35708. Each flaw allowed unauthenticated attackers to compromise the application. The vendor responded with rapid patch releases and architectural changes, but the recurrence of similar vulnerabilities highlighted ongoing challenges in secure development and vulnerability management.

References

• NVD CVE-2023-34362
• CISA Advisory
• Rapid7 Analysis
• Palo Alto Unit42 Threat Brief
• SentinelOne Threat Analysis
• Kroll Incident Response
• Qualys Technical Blog
• Tenable Patch Guidance
• Horizon3 PoC
• Detection Sigma Rule
• Rapid7 Detection Timeline
• CISA Advisory

Source: This report was created using AI

If you have suggestions for improvement or feedback, please reach out to us at [email protected]