[UPDATED] Critical Vulnerability in MOVEit Transfer

Progress Software has discovered a critical vulnerability (CVE-2023-35708) in MOVEit Transfer, a managed file transfer software.

Successful exploitation of the SQL Injection vulnerability could allow an unauthenticated attacker to escalate their privileges and potentially gain unauthorised access to the targeted environment.

The vulnerability affects the following product versions:

MOVEit Transfer 2023.0.x (15.0.x)  

MOVEit Transfer 2022.1.x (14.1.x)

MOVEit Transfer 2022.0.x (14.0.x)  

MOVEit Transfer 2021.1.x (13.1.x)  

MOVEit Transfer 2021.0.x (13.0.x)  

MOVEit Transfer 2020.1.x (12.1.x)  

Users and administrators of affected product versions are advised to update to the latest versions immediately.

Users and administrators who are unable to update their affected products immediately are advised to follow the mitigation measure below:

• Disable all HTTP and HTTPS traffic to your MOVEit Transfer Environment by modifying firewall rules to deny traffic on ports 80 and 443

It should be noted that applying the aforementioned workaround will also lead to the following (until HTTP and HTTPs traffic are enabled again):

• Users will not be able to log on to the MOVEit Transfer web UI

• MOVEit Automation tasks that use the native MOVEit Transfer host will not work

• REST, Java and .NET APIs will not work

• MOVEit Transfer add-in for Outlook will not work

Applying the above workaround will not affect SFTP and FTP/s protocols. Users and administrators will also still be able to access MOVEit Transfer by using a remote desktop to access the Windows machine and then accessing https://localhost/.

More information is available here:

https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-15June2023