cbcvebase.
CVE-2023-34362
published 2023-06-02

CVE-2023-34362: In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection…

PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-06-23
Exploited in the wild
EPSS
99.93%
100.0th percentile
In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions.

Affected

17 ranges
VendorProductVersion rangeFixed in
paloaltocortex_data
paloaltocortex_xdr
paloaltocortex_xpanse
paloaltocortex_xsoar
paloaltoglobalprotect
paloaltopan-os
paloaltoprisma_access
paloaltoprisma_cloud
paloaltoprisma_sd
progressmoveit_cloud< 14.0.5.4514.0.5.45
progressmoveit_cloud>= 14.1.0.0 < 14.1.6.9714.1.6.97
progressmoveit_cloud>= 15.0.0.0 < 15.0.2.3915.0.2.39
progressmoveit_transfer< 2021.0.72021.0.7
progressmoveit_transfer>= 2021.1.0 < 2021.1.52021.1.5
progressmoveit_transfer>= 2022.0.0 < 2022.0.52022.0.5
progressmoveit_transfer>= 2022.1.0 < 2022.1.62022.1.6
progressmoveit_transfer>= 2023.0.0 < 2023.0.22023.0.2

Detection & IOCsextracted from sources · hover to see the quote

hash702421bcee1785d93271d311f0203da34cc936317e299575b06503945a6ea1e0
hash9d1723777de67bc7e11678db800d2a32de3bcd6c40a629cd165e3f7bbace8ead
hash9e89d9f045664996067a05610ea2b0ad4f7f502f73d84321fb07861348fdc24a
hashd49cf23d83b2743c573ba383bf6f3c28da41ac5f745cde41ef8cd1344528c195
hashb1c299a9fe6076f370178de7b808f36135df16c4e438ef6453a39565ff2ec272
hash6015fed13c5510bbb89b0a5302c8b95a5b811982ff6de9930725c4630ec4011d
hash48367d94ccb4411f15d7ef9c455c92125f3ad812f2363c4d2e949ce1b615429a
hash2413b5d0750c23b07999ec33a5b4930be224b661aaf290a0118db803f31acbc5
hashe8012a15b6f6b404a33f293205b602ece486d01337b8b3ec331cd99ccadb562e
hashd013e0a503ba6e9d481b9ccdd119525fe0db7652
hash34d4b835b24a573863ebae30caab60d6070ed9aa
hashc8e03cb454034d5329d810bbfeb2bd2014dac16d
hasheee9451901badbfbcf920fcc5089ddc1ee4ec06d
hash73f19114d61bd09789788782f407f6fe1d6530b9
hash7d91f5b03932793ff32ad99c5e611f1e5e7fe561
hasha2f74b02f29f5b1a9fe3efe68c8f48c717be45c2
hashc756c290729981d3804681e94b73d6f0be179146
hash11608a031358817324568db9ece1f09e74de4719
hashb8704c96436ffcbd93f954158fa374df05ddf7f6
filenamehuman2.aspx
path\MOVEitTransfer\wwwroot\
pathC:\Windows\Temp\royq2cir
pathC:\Windows\Temp\royq2cir\royq2cir.tmp
pathC:\Windows\Temp\royq2cir\royq2cir.0.cs
pathC:\Windows\Temp\royq2cir\royq2cir.dll
pathC:\Windows\Temp\royq2cir\royq2cir.cmdline
pathC:\Windows\Temp\royq2cir\royq2cir.out
pathC:\Windows\Temp\royq2cir\royq2cir.err
otherWin.Ransomware.Clop-6881304-0 (ClamAV)
otherWin.Ransomware.Clop-6887770-0 (ClamAV)
snort
SID 61876-61879, 61936 (Snort 2); SID 61936, 300582, 300583 (Snort 3)
  • LemurLoot webshell (human2.aspx) is deployed in the MOVEit Transfer wwwroot directory; hunt for new or modified ASPX files written by the IIS worker process (w3wp.exe) under \MOVEitTransfer\wwwroot\
  • Each LemurLoot payload is dynamically compiled at runtime, resulting in a unique hash per victim; do not rely solely on hash-based detection — use behavioral and log-based hunting instead.
  • The exploit chain begins with SQL injection to obtain a sysadmin API token, followed by calling a deserialization function that does not properly validate input to achieve RCE; monitor MOVEit Transfer application and IIS logs for anomalous SQL activity and unexpected API token generation.
  • Check Point IPS blade signature name for this CVE can be used as a detection reference: 'MOVEit Transfer SQL Injection (CVE-2023-34362)'
  • ·Exploitation affects both internet-facing and on-premises MOVEit Transfer instances; all versions prior to 2021.0.6, 2021.1.4, 2022.0.4, 2022.1.5, and 2023.0.1 are vulnerable, including older unsupported versions.
  • ·Threat actors may have begun experimenting with the exploit as early as 2021, well before the May 2023 mass exploitation wave; historical log review should extend back further than the immediate incident window.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.