API 0Day Response – a MOVEit story

June 20, 2023 | by Jason Kent

MOVEit vulnerability

June 9th Progress Software released a statement “Multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database.”

Well, that doesn’t seem very good at all, in this case “multiple” meant 3 on June 15th with a 0Day SQLi and RCE flaw. Progress Software has released a security advisory for a privilege escalation vulnerability (CVE-2023-35708) in MOVEit Transfer—a Managed File Transfer Software. A cyber threat actor could exploit this vulnerability to take control of an affected system. CISA is also urging users and organizations to review the MOVEit Transfer advisory, follow the mitigation steps, and apply the necessary updates when available.

So, what happens when a massive flaw like this is found out, what is the first thing you should do?

Step 1: Know what you have. Then Patch.

Really the first step, as with any program or process for Information Security, is knowing what you have. Does this MOVEit vulnerability impact you? So, turn to your CMDB or your SBOMS or your SCAs or endpoint agents. Do you see traffic flowing to an impacted system that you can identify? The answer here is to probably start identifying systems and then cataloging the applications they are running. Why is it so important to find all the systems quickly?

In the case of this vulnerability there was a patch made available very quickly. If the organization wasn’t aware this was the Managed File Transfer solution they were using, they wouldn’t know to apply the patch. But also, though the patch was available quickly the exploit was available before the patch. So there needs to be a very rapid response to this type of thing.

This is a great example of a virtual patch scenario. Virtual patches are a tool that can be deployed in WAF or Analytics type systems that look for the behavior of this type of vulnerability exploit. Virtual Patching gets out ahead of the problem and allows for time to locate systems, schedule outage time and get the patches applied. If the vulnerability becomes known off-hours, virtual patching can mean the difference between a breach and a successful patch application before a breach.

How Cequence was able to help our customers with the MOVEit vulnerability

We had customers approach us for virtual patches as the exploits were being developed. Having very little to go on meant we had to be creative in finding the behaviors that would lead to a breach as well as putting in place mitigations for possible exploit paths. Additionally, we learned that these types of transactions are often completely unmonitored and having those APIs onboarded meant greater visibility into what could potentially be an attack. A hidden benefit for our customers for sure, now that visibility can inform further action.

Are virtual patches perfect? No. But if I was to compare them to the security a zipper topped Jeep might have, they do include the ability to harden the canvas and lock the zippers. Is it still possible to steal the Jeep, sure, but its much harder. As the virtual patches are applied and monitored its possible some information gets missed but a virtual patch isn’t meant to replace a software patch, it is just a step if the patching process is too cumbersome or not possible due to other constraints.

Our customers were able to stop, take a breath, approach the problem with speed and efficiency because they weren’t battling an ongoing data breach, they were simply able to watch more of the perimeter and have their internal teams do the permanent work that is needed.

Interested in finding out how we can help you, request an assessment.

Jason Kent


Jason Kent

Hacker in Residence

Additional Resources