cbcvebase.
CVE-2023-35036
published 2023-06-12

CVE-2023-35036: In Progress MOVEit Transfer before 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), and 2023.0.2 (15.0.2), SQL injection…

PriorityP188critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
12.81%
95.8th percentile
In Progress MOVEit Transfer before 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), and 2023.0.2 (15.0.2), SQL injection vulnerabilities have been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content.

Affected

14 ranges
VendorProductVersion rangeFixed in
paloaltocortex_data
paloaltocortex_xdr
paloaltocortex_xpanse
paloaltocortex_xsoar
paloaltoglobalprotect
paloaltopan-os
paloaltoprisma_access
paloaltoprisma_cloud
paloaltoprisma_sd
progressmoveit_transfer< 2021.0.72021.0.7
progressmoveit_transfer>= 2021.1.0 < 2021.1.52021.1.5
progressmoveit_transfer>= 2022.0.0 < 2022.0.52022.0.5
progressmoveit_transfer>= 2022.1.0 < 2022.1.62022.1.6
progressmoveit_transfer>= 2023.0.0 < 2023.0.22023.0.2

Detection & IOCsextracted from sources · hover to see the quote

filenamehuman2.aspx
pathC:\MOVEitTransfer\wwwroot\human2.aspx
pathC:\Windows\Microsoft.net\Framework64\v4.0.30319\Temporary ASP.NET Files\root\9a11d1d0\5debd404
filenameApp_Web_wrpngvm2.dll
hash702421bcee1785d93271d311f0203da34cc936317e299575b06503945a6ea1e0
hash9d1723777de67bc7e11678db800d2a32de3bcd6c40a629cd165e3f7bbace8ead
hash9e89d9f045664996067a05610ea2b0ad4f7f502f73d84321fb07861348fdc24a
hashd49cf23d83b2743c573ba383bf6f3c28da41ac5f745cde41ef8cd1344528c195
hashb1c299a9fe6076f370178de7b808f36135df16c4e438ef6453a39565ff2ec272
hash6015fed13c5510bbb89b0a5302c8b95a5b811982ff6de9930725c4630ec4011d
hash48367d94ccb4411f15d7ef9c455c92125f3ad812f2363c4d2e949ce1b615429a
hash2413b5d0750c23b07999ec33a5b4930be224b661aaf290a0118db803f31acbc5
hashe8012a15b6f6b404a33f293205b602ece486d01337b8b3ec331cd99ccadb562e
ip5.252.190.181
ip5.252.191.14
ip5.252.190.233
ip5.252.190.116
ip5.252.191.88
url/moveitisapi/moveitisapi.dll
url/human2.aspx
otherWin.Ransomware.Clop-6881304-0
otherWin.Ransomware.Clop-6887770-0
processw3wp.exe -> csc.exe
  • Hunt for w3wp.exe spawning csc.exe with the MOVEit DMZ pool command line, which indicates on-the-fly compilation of the webshell
  • Detect LemurLoot webshell via YARA by hunting for the typo 'azureAccout' (missing 'n') in ASPX files on MOVEit servers
  • Flag creation of a second App_Web_*.dll in the Temporary ASP.NET Files directory for MOVEit, as only one should exist under normal operation
  • Monitor IIS access logs for POST requests to /moveitisapi/moveitisapi.dll with action=m2, followed by GET requests to /human2.aspx, as this sequence matches the observed attack chain
  • ·The human2.aspx webshell path is based on the default MOVEit install location and may vary; it has also been observed on non-C: drives such as E:\
  • ·The App_Web_*.dll filename under Temporary ASP.NET Files contains random characters and will differ per environment; the key indicator is the presence of a *second* such DLL
  • ·The LemurLoot webshell uses a hardcoded 36-character GUID-formatted authentication value that varies per deployment, so the X-siLock-Comment header value will differ across samples
  • ·The .NET framework version subdirectory in the Temporary ASP.NET Files path may differ from v4.0.30319 depending on the installed .NET version on the host
  • ·CVE-2023-35036 patches are designed to mitigate multiple parts of the exploit chain originally used in CVE-2023-34362 exploitation; patching CVE-2023-35036 alone may not fully remediate a previously compromised system
  • ·Attackers have been observed pivoting to file names other than human2.aspx for the webshell, so filename-only detection is insufficient

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vulncheck9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.