Critical zero-day vulnerability in MOVEit file transfer solution exploited

published: June 1, 2023

Take action: If you are a user of MOVEit Transfer, it's time to wake up your engineers! Isolate your MOVEit Transfer instance and start forensic investigations. Assume you have been compromised. Only if everything is clean, proceed to patch it.

Learn More

Attackers are taking advantage of a critical zero-day vulnerability found in Progress Software's enterprise managed file transfer solution, MOVEit Transfer. There is observed exploitation of a SQL injection vulnerability in Progress Software's managed file transfer product.

The company issued a warning, stating that the vulnerability could result in escalated privileges and unauthorized access to the system and gain access to sensitive corporate data.

Customers are advised to take immediate action to protect their MOVEit Transfer environment while awaiting a patch from the company.

The alert also recommended that customers investigate any signs of unauthorized access that may have occurred in the past 30 days. This suggests that the exact date when the first instances of exploitation began has not yet been determined by the company.

Multiple sources report the vulnerability in MOVEit Transfer as being actively targeted. The identity of the threat actor responsible for the attacks is still uncertain, but it may be one of the ransomware or extortion groups.

There are over 2,500 discoverable MOVEit Transfer servers accessible on the internet that can be listed in Shodan, with a majority located in the United States.

Progress Software advises users to temporarily disable all HTTP and HTTPS traffic to their MOVEit Transfer environment. Additionally, they recommended upgrading to one of the fixed versions of the software, namely

  • MOVEit Transfer 2023.0.1
  • MOVEit Transfer 2022.1.5
  • MOVEit Transfer 2022.0.4
  • MOVEit Transfer 2021.1.4
  • MOVEit Transfer 2021.0.6.

Customers were also urged to check for unexpected files in the c:\MOVEit Transfer\wwwroot\ folder on all instances of MOVEit Transfer. They were advised to be vigilant for any unusual or large file downloads that may have taken place.

MOVEit admins have also reported on Reddit that they are also finding multiple random named App_Web_<random>.dll files, such as App_Web_feevjhtu.dll, after being breached when there should only be one.
The following IP addresses have been associated with the attacks: 138.197.152[.]201 209.97.137[.]33 5.252.191[.]0/24 148.113.152[.]144 (reported by the community) 89.39.105[.]108

Alternative mitigating measures suggest organizations running MOVEit Transfer instances to disconnect them from their internal networks and inspect for newly created or modified .asp files. It was also recommended to preserve copies of all IIS logs and network data volume logs.

Critical zero-day vulnerability in MOVEit file transfer solution exploited