MOVEit Transfer Critical Vulnerability Let Attackers Escalate Privileges

MOVEit Transfer software was discovered to be vulnerable to a potential privilege escalation and unauthorized access to the environment.

Users are recommended to take the actions mentioned below until a patch is released by the MOVEit team.

SQL Injection (CVE – Pending – Submitted to MITRE)

MOVEit transfer web application was vulnerable to potential SQL injection, allowing threat actors to gain unauthorized access to MOVEit’s Transfer Database.

The database can be MySQL, Microsoft SQL Server, or Azure SQL, which a remote attacker can exploit by executing SQL statements for modifying or deleting database information.

Affected Versions and Patches

All of the MOVEit transfer versions are affected by this vulnerability. Patches are available for some of the affected versions.

Affected VersionFixed VersionDocumentation
MOVEit Transfer 2023.0.0MOVEit Transfer 2023.0.1MOVEit 2023 Upgrade Documentation
MOVEit Transfer 2022.1.xMOVEit Transfer 2022.1.5MOVEit 2022 Upgrade Documentation
MOVEit Transfer 2022.0.xMOVEit Transfer 2022.0.4
MOVEit Transfer 2021.1.xMOVEit Transfer 2021.1.4MOVEit 2021 Upgrade Documentation
MOVEit Transfer 2021.0.xMOVEit Transfer 2021.0.6

In order to prevent this SQL injection vulnerability, users are requested to follow the below steps

1. Disable All HTTP and HTTPS traffic to your MOVEit Transfer Environment

Users are recommended to deny traffic on ports 80 (HTTP) and 443 (HTTPS) unless the patches are applied. Impacts of this step include,

  • Login to MOVEit Transfer Web UI will be disabled
  • Automation tasks in MOVEit Transfer host native will not work
  • REST, JAVA and .NET APIs will not function
  • SFTP and FTP will work which can be used by administrators to access MOVEit Transfer using a remote desktop

2. Review, Delete, and Reset

Unauthorized Files and User accounts must be deleted. All logs must be reviewed for unknown IP downloads of files.

New files created on the C:\MOVEitTransfer\wwwroot\ directory must be deleted.

Service account credentials for affected systems are recommended to be reset.

Progress researchers have also provided a complete step-by-step approach to remediate this vulnerability. MOVEit transfer users are requested to apply available patches for the affected versions.

A complete report has been published, including Indicators of compromise, remediation steps, and other information.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.