cbcvebase.
CVE-2023-35708
published 2023-06-16

CVE-2023-35708: In Progress MOVEit Transfer before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3), a SQL injection…

PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVRansomware
Exploited in the wild
EPSS
96.68%
99.9th percentile
In Progress MOVEit Transfer before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content. These are fixed versions of the DLL drop-in: 2020.1.10 (12.1.10), 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3).

Affected

15 ranges
VendorProductVersion rangeFixed in
paloaltocortex_data
paloaltocortex_xdr
paloaltocortex_xpanse
paloaltocortex_xsoar
paloaltoglobalprotect
paloaltopan-os
paloaltoprisma_access
paloaltoprisma_cloud
paloaltoprisma_sd
progressmoveit_transfer< 2020.1.102020.1.10
progressmoveit_transfer>= 2021.0.6 < 2021.0.82021.0.8
progressmoveit_transfer>= 2021.1.4 < 2021.1.62021.1.6
progressmoveit_transfer>= 2022.0.4 < 2022.0.62022.0.6
progressmoveit_transfer>= 2022.1.5 < 2022.1.72022.1.7
progressmoveit_transfer>= 2023.0.1 < 2023.0.32023.0.3

Detection & IOCsextracted from sources · hover to see the quote

hash702421bcee1785d93271d311f0203da34cc936317e299575b06503945a6ea1e0
hash9d1723777de67bc7e11678db800d2a32de3bcd6c40a629cd165e3f7bbace8ead
hash9e89d9f045664996067a05610ea2b0ad4f7f502f73d84321fb07861348fdc24a
hashd49cf23d83b2743c573ba383bf6f3c28da41ac5f745cde41ef8cd1344528c195
hashb1c299a9fe6076f370178de7b808f36135df16c4e438ef6453a39565ff2ec272
hash6015fed13c5510bbb89b0a5302c8b95a5b811982ff6de9930725c4630ec4011d
hash48367d94ccb4411f15d7ef9c455c92125f3ad812f2363c4d2e949ce1b615429a
hash2413b5d0750c23b07999ec33a5b4930be224b661aaf290a0118db803f31acbc5
hashe8012a15b6f6b404a33f293205b602ece486d01337b8b3ec331cd99ccadb562e
filenamehuman2.aspx
path/human2.aspx
path/moveitisapi/moveitisapi.dll
path/guestaccess.aspx
path/api/v1/token
path/api/v1/folders
path/machine2.aspx
otherProgress MOVEit Transfer SILCertToUser or UserCheckClientCert SQL Injection (CVE-2023-35036 or CVE-2023-35708): 6000667
snort
SID 61876-61879
snort
SID 61936
snort
SID 300582
snort
SID 300583
yara
Win.Ransomware.Clop-6881304-0
yara
Win.Ransomware.Clop-6887770-0
  • Check Point IPS signatures 'Webshell.Win.Moveit' and 'Exploit.Wins.MOVEit' provide detection coverage for MOVEit Transfer exploitation activity including CVE-2023-35708.
  • ·The LemurLoot webshell IOC hashes (listed under 'Webshell (LemurLoot)') are associated with the broader MOVEit Transfer exploitation campaign (CVE-2023-34362) by Cl0p; they are not confirmed exclusively tied to CVE-2023-35708 exploitation, which was not reported as actively exploited at time of publication.
  • ·The Zscaler AppProtection rule ID 6000667 covers both CVE-2023-35036 and CVE-2023-35708 together (SILCertToUser or UserCheckClientCert SQL Injection); it is not exclusive to CVE-2023-35708.
  • ·The Snort SIDs and ClamAV signatures released by Cisco Talos are attributed to the broader MOVEit Transfer exploitation campaign and may cover CVE-2023-34362 and related activity; applicability specifically to CVE-2023-35708 should be verified against the latest Snort rule pack.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.