MOVEit Transfer and MOVEit Cloud Vulnerability

Status: Patched Last Update: July 5, 2023

Overview

This page provides the latest information on the MOVEit Transfer and MOVEit Cloud vulnerabilities. As we continue our investigation and new details are uncovered, this page will be updated. Please check back frequently for updates.

MOVEit Transfer Knowledge Base Articles

MOVEit Cloud Knowledge Base Articles

Knowledge Base Article (June 9, 2023)
Knowledge Base Article (May 31, 2023)
You can also view more information on the MOVEit Cloud Status Page

If you are a customer or researcher that has identified a potential security issue or vulnerability, please submit the suspected vulnerability to our Reporting Security Vulnerabilities page for immediate review and remediation. We thank you for your support.

Update

July 5, in response to customer feedback, the MOVEit team has formalized a regular Service Pack program for all MOVEit products. Customers have shared that a regular cadence and predictable timeline is desired to make it easier to adopt new product updates and fixes. The Service Pack program will enable the delivery of more frequent updates and will provide a more predictable, simple and transparent process for product and security fixes.

The first Service Pack is now available and includes product and security fixes for supported versions of MOVEit Transfer. The Service Pack has also been applied to MOVEit Cloud. MOVEit Automation will be included in future Service Pack releases. Today’s release includes improvements to the MOVEit Transfer database, optimization of the installer and fixes for three new CVEs.

We expect to release a new Service Pack approximately every two months going forward. All details on major releases, service packs, including today’s release, and hot fixes can be found in the MOVEit Product Hub. Please bookmark that page for future reference.

June 18, 2023, We have not seen any evidence that the vulnerability reported on June 15 has been exploited. Taking MOVEit Cloud offline for maintenance was a defensive measure to protect our customers and not done in response to any malicious activity. Because the new vulnerability we reported on June 15 had been publicly posted online, it was important that we take immediate action out of an abundance of caution to quickly patch the vulnerability and disable MOVEit Cloud.

Our product teams and third-party forensics partner have reviewed the vulnerability and associated patch and have deemed that the issue has been addressed. This fix has been applied to all MOVEit Cloud clusters and is available for MOVEit Transfer customers.

A third party publicly disclosed a vulnerability impacting MOVEit Transfer and MOVEit Cloud in a way that did not follow normal industry standards, and in doing put our customers at increased risk of exploitation. Because it is common across the industry that reported vulnerabilities lead to increased attention from both malicious threat actors and cybersecurity researchers trying to uncover new vulnerabilities, we are working closely with our industry partners to take all appropriate steps to address any issues.

June 16, 2023, Yesterday we reported the public posting of a new SQLi vulnerability that required us to take down HTTPs traffic for MOVEit Cloud and to ask MOVEit Transfer customers to take down their HTTP and HTTPs traffic to safeguard their environments. We have now tested and deployed a patch to MOVEit Cloud, returning it to full service across all cloud clusters. We have also shared this patch and the necessary deployment steps with all MOVEit Transfer customers.

All MOVEit Transfer customers must apply the new patch, released on June 15. 2023. Details on steps to take can be found in the following Knowledge Base Article.

Knowledge Base Article (June 15 2023)

All MOVEIt Cloud customers, please see the MOVEit Cloud Status Page for more information.

The investigation is ongoing, but currently, we have not seen indications that this newly discovered vulnerability has been exploited.

June 15, 2023, Update: MOVEit Cloud has been patched and fully restored across all cloud clusters. See the MOVEit Cloud Status Page for updates. We are currently rolling out patches for MOVEit Transfer. Please monitor the June 15 MOVEit Transfer Knowledge Base Article for updates. This latest patch was released to address a newly identified vulnerability. We took HTTPs traffic down for MOVEit Cloud in light of the newly published vulnerability and asked all MOVEit Transfer customers to take down their HTTP and HTTPs traffic to safeguard their environments while a patch was created and tested.

June 9, 2023, In addition to the ongoing investigation into vulnerability (CVE-2023-34362), we have partnered with third-party cybersecurity experts to conduct further detailed code reviews as an added layer of protection for our customers. As part of these code reviews, cybersecurity firm Huntress has helped us to uncover additional vulnerabilities that could potentially be used by a bad actor to stage an exploit. These newly discovered vulnerabilities are distinct from the previously reported vulnerability shared on May 31, 2023.

All MOVEit Transfer customers must apply the new patch, released on June 9. 2023. Details on steps to take can be found in the following knowledge base article.

MOVEit Transfer Knowledge Base Article (June 9, 2023)

All MOVEIt Cloud customers, please see the MOVEit Cloud Knowledge Base Article for more information.

MOVEit Cloud Knowledge Base Article (June 9, 2023)

The investigation is ongoing, but currently, we have not seen indications that these newly discovered vulnerabilities have been exploited.

May 31, 2023, Progress reported a vulnerability in MOVEit Transfer and MOVEit Cloud (CVE-2023-34362) that could lead to escalated privileges and potential unauthorized access to the environment. Upon discovery, Progress promptly launched an investigation, alerted MOVEit customers of the issue and provided immediate mitigation steps, followed by the development and release of a security patch, all within 48 hours.

Required Action

MOVEit Transfer: If you have not done so previously, customers must apply up-to-date patches, follow our recommended mitigation guidance and monitor for known Indicators of Compromise (IoC). We are urging customers to use only the patch links included in our documentation. Do not use third-party resources.

MOVEit Cloud: MOVEit Cloud has been patched with the latest patch released on June 15, 2023. We encourage customers to review their audit logs for signs of unexpected or unusual file downloads, and continue to review access logs and systems logging, together with our systems protection software logs.

For customer questions, please contact Progress Customer Technical Support:
https://community.progress.com/s/supportlink-landing.

Resources

General Resources

MITRE

CVE-2023-35708 (June 15, 2023)
CVE-2023-35036 (June 9, 2023)
CVE-2023-34362 (May 31, 2023)

NIST

CVE-2023-35708 (June 15, 2023)
CVE-2023-35036 (June 9, 2023)
CVE-2023-34362 (May 31, 2023)

FAQ

MOVEit Transfer & MOVEit Cloud Customer FAQ (July 5, 2023)

Blog Posts

MOVEit Security Best Practices Guide

MOVEit Transfer

MOVEit Cloud

Contact Information

Progress Customer Technical Support
MOVEit Partner Inquiries: moveitpartnertempsupport@progress.com
Media and other third-party inquiries: pr@progress.com

Third Party References

A special thank you to our partners and collaborators: Cybersecurity and Infrastructure Security Agency (CISA), Crowdstrike, Huntress, Mandiant, Microsoft and Rapid7.

Quick Links

Non-Disclosure Agreement

The document you have requested (the “Document”) is considered Confidential Information (defined below) by Progress Software Corporation, a Delaware corporation, including its direct and indirect affiliates and subsidiaries (“PSC”). Your access to the Document is subject to your agreement to the terms and conditions set forth below. Please read them carefully. If you are agreeing to this agreement not as an individual but on behalf of your employer or company, then you acknowledge that you are binding your employer or company to this agreement. The term “Recipient” shall mean whichever party to whom this applies, whether it is you as an individual or your employer or company on whose behalf you are acting.

PSC agrees to allow Recipient to access to the Document on the condition that Recipient reads, understands, and agrees to all of the following:

By clicking on the “I ACCEPT” button below, Recipient agrees to be bound by these terms and conditions. Such acceptance and agreement shall be deemed to be as effective as a written signature by you, either on behalf of yourself or the Recipient, and this agreement shall be deemed to satisfy any writings requirements of any applicable law, notwithstanding that the agreement is written and accepted electronically. Distribution or disclosure of any portion of the Document or any information or advice contained therein to persons other than PSC is prohibited, except as provided below.

Recipient may use Document only for the purpose of evaluating PSC’s operations for compliance with Recipient’s security, regulatory and other business policies (the “Purpose”). This agreement does not create or imply an agreement to complete any transaction or an assignment by PSC of any rights in its intellectual property.

Recipient has requested that Company provide Recipient a copy of the Document for reasons relating to the Purpose. The Recipient agrees that the Document contains Confidential Information. “Confidential Information” shall mean the Document and other information and materials that are (i) disclosed by PSC in writing and marked as confidential at the time of disclosure, or (ii) disclosed by PSC in any other manner and identified as confidential at the time of disclosure and within thirty (30) days of disclosure, or (iii) reasonably regarded as being of a confidential nature.

Recipient agrees that the Document shall be held in confidence by Recipient and used only for the Purpose. In maintaining confidentiality hereunder, Recipient agrees it shall not, without first obtaining the written consent of PSC, disclose or make available to any person, firm or enterprise, reproduce or transmit, or use (directly or indirectly) for its own benefit or the benefit of others, the Document. The Recipient may only disclose the Document to those who need to know such information in connection with the Purpose. Recipient shall protect the Document by using the same degree of care, but no less than a reasonable degree of care, to prevent the unauthorized use, dissemination, or publication of the Document as Recipient uses to protect its own confidential information of a like nature.

PSC reserves all rights and benefits afforded under U.S., and international copyright, patent, trade secret, trademarks or service marks and all other intellectual property rights in the Document. By gaining access to the Document, Recipient does not acquire any intellectual property rights to it, except the limited right to use the Document for the Purpose in accordance with this agreement. PSC assumes no duty or liability to the Recipient in connection with the provision of the Document. Recipient may not rely on the Document for any reason.

Recipient recognizes that irreparable injury may result in the event of a breach of its obligations contained in this agreement and that PSC would have no adequate remedy in money or damages. Recipient agrees that, in the event of such a breach or threat of such a breach, PSC shall be entitled, in addition to any other appropriate equitable remedies and damages available, to seek an injunction to restrain the violations thereof by Recipient and all persons acting for and/or with Recipient, plus recovery of attorneys’ fees and court costs and without posting a bond.

The Recipient (for itself and its successors and assigns) hereby releases PSC from any and all claims or causes of action that Recipient has, or hereafter may or shall have, against PSC in connection with the Document or Recipient’s access to the Document. Recipient shall indemnify, defend and hold harmless PSC from and against all claims, liabilities, losses and expenses suffered or incurred arising out of or in connection with (a) any breach of this agreement by Recipient or its representatives; and/or (b) any use or reliance on the Document or other Confidential Information by any party that obtains access to the Document, directly or indirectly, from or through the Recipient or at its request.

Upon termination of this agreement or written request by PSC, the Recipient shall: (i) cease using the Document, (ii) return or destroy the Document and all copies, notes or extracts thereof to PSC within seven (7) business days of receipt of request, and (iii) upon PSC’s written request, confirm in writing that Recipient has complied with these obligations.

This agreement shall be governed by, and construed in accordance with, the laws of the Commonwelath of Massachusetts applicable to agreements made and fully to be performed therein by residents thereof. This agreement can be enforced by PSC or any of its affiliates or subsidiaries, individually or collectively.

By entering your email Recipient agrees to be bound to the terms of this Agreement. If you are entering into this agreement for an entity, such as the company you work for, you represent to us that you have legal authority to bind that entity.

NDA Agree

The information you are requesting contains confidential information. You must agree to the terms of this NDA in order to access it. By clicking this box you acknowledge that you have read the NDA and agree to its terms

First Name

Last Name

Company

Job Title

Country/Territory

Phone Number

Resource

MarkLogic

Semaphore

OpenEdge

DataDirect

Sitefinity

Telerik

Kendo UI

Corticon

DataDirect

MOVEit

Chef

Flowmon

Kemp LoadMaster

WhatsUp Gold