A critical vulnerability has been discovered in MOVEit Transfer, a commonly used managed file transfer (MFT) solution developed by Progress Software. This vulnerability allows remote attackers to execute arbitrary code on affected systems. The vulnerability is actively exploited in the wild, posing a significant threat to organizations using MOVEit Transfer.
What is the threat?
The vulnerability in MOVEit Transfer is caused by an input validation flaw (SQL injection). It allows remote attackers to inject and execute arbitrary code on affected systems. By exploiting this vulnerability, attackers can gain unauthorized access to sensitive information (MOVEit Transfer’s Database), compromise the affected system, and potentially propagate attacks to other network resources.
Why is it noteworthy?
Active exploitation of this vulnerability has been observed in the wild. Attackers are targeting organizations using MOVEit Transfer, increasing the urgency to address the vulnerability promptly. Successful exploitation allows attackers to execute arbitrary code on the affected system. This level of control can lead to various malicious activities, including unauthorized access, data exfiltration, and system disruption.
What is the exposure or risk?
Upon a successful exploitation, attack can gain complete control over the compromised MOVEit Transfer instance, granting them access to sensitive files, credentials, and system resources. Confidential and sensitive information stored or transferred through MOVEit Transfer can be accessed, exfiltrated, or modified by unauthorized parties. This includes personally identifiable information (PII), financial data, intellectual property, or sensitive customer data. Additionally, the compromised MOVEit Transfer instances may become inaccessible or unstable, disrupting critical file transfer operations. This can impact business continuity, leading to financial loss and reputational damage.
What are the recommendations?
Barracuda MSP recommends the following actions to limit the impact of a MOVEit Transfer Vulnerability:
- Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment.
- Delete unauthorized files and user accounts in the MOVEit Transfer environment.
- Reset service account credentials for affected systems and MOVEit Service Account.
- Isolate the affected MOVEit Transfer instances from critical systems and network segments to limit the potential spread of an attack. Implement strict access controls and firewall rules to minimize exposure.
- Update network firewall rules to only allow connections to the MOVEit Transfer infrastructure from known trusted IP addresses.
- Apply the patches on the affected MOVEit Transfer versions.
- Fixed Version: 2023.0.1, 2022.1.5, 2022.0.4, 2021.1.4, 2021.0.6
References
For more in-depth information about the recommendations, please visit the following links:
- https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
- https://community.progress.com/s/products/moveit/product-lifecycle
- https://docs.progress.com/category/moveit-transfer-2023
- https://docs.progress.com/category/moveit-transfer-2022
- https://docs.ipswitch.com/MOVEit/Transfer2021/Manuals/en/index.htm#90000.htm
- https://docs.progress.com/bundle/moveit-transfer-web-admin-help-2022/page/Users.html
If you have any questions regarding this Cybersecurity Threat Advisory, please contact our Security Operations Center.
