Cato Protects Against MOVEit vulnerability (CVE-2023-34362)

A new critical vulnerability (CVE-2023-34362) has been published by Progress Software in its file transfer application, MOVEit Transfer. A SQL Injection vulnerability was discovered in MOVEit enabling unauthenticated access to MOVEit’s Transfer database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements 

Currently, Cato Research Labs is aware of exploitation attempts of CVE-2023-34362 as an initial access vector used by the CLOP ransomware group to gain access to the MOVEit Transfer MFT solution and deliver a web shell (“Human2.aspx”) tailored specifically to this product. While details about the web shell have surfaced in the last few days as well as several suspected endpoints involved, the actual SQLi payload and specific details of the injection point have not been made public. 

Cato’s Response  

Cato has deployed signatures across the Cato Cloud to prevent uploading or interacting with the web shell.  The detect-to-protect time was 3 days and 6 hours for all Cato-connected users worldwide. Furthermore, Cato recommends restricting public access to MOVEit instances only to users protected by Cato security – whether behind a Cato Socket or remote users running the Cato Client.  

Currently, Cato Research Labs has found evidence for opportunistic scanners attempting to scan public facing servers for the presence of the web shell (rather than actually exploiting the vulnerability). Scanning public facing servers is a common practice for opportunistic actors, riding the tail of a zero-day campaign. 

Cato continues to monitor for further details regarding this CVE and will update our security protections accordingly. Check out the Cato Networks CVE mitigation page where we update regularly.