Bulletin — June 2023

June is the month of MOVEit. Progress Software publishes the advisory on 31 May; on 5 June Cl0p starts posting victims on its extortion portal; by month-end the count is over 500 organisations and growing. By year-end it will be 2,700+. The biggest software-extortion campaign of the decade.

Everything else this month — Fortinet FortiOS, VMware Aria, the first LLM agents with tool use — runs in the background.

CVE-2023-34362 — MOVEit, the event of the year

31 May. Progress Software publishes an urgent advisory on a pre-auth SQLi in MOVEit Transfer. CVSS 9.8. 27 May: Mandiant identifies that exploitation has been ongoing for at least four days. 2 June: Microsoft attributes to Lace Tempest (Cl0p). 5 June: Cl0p confirms publicly and starts tallying victims. End of June: ~500 organisations affected, including BA, BBC, Aon, EY, US Department of Energy, several state DMVs.

We’ve analysed the bug, the human2.aspx web shell (LEMURLOOT) and the Cl0p pattern in a dedicated post.

Operational lesson: if you have MOVEit Transfer exposed, patching is the minimum. Next step is auditing traffic and audit logs from 27 May through your patch date. Cl0p exfiltrates before notice; the patch doesn’t recover what’s lost.

Source: https://www.progress.com/security/moveit-transfer-and-moveit-cloud-vulnerability

CVE-2023-27997 — XORtigate in FortiOS

12 June. Fortinet publishes an advisory on a heap buffer overflow in the FortiOS SSL-VPN (pre-auth, CVSS 9.2). Lexfo discovers it and informally names it XORtigate. Affects FortiGate, FortiProxy and FortiSwitchManager.

The bug lives in the XOR decoding the SSL-VPN applies when parsing HTTP parameters. A specifically crafted payload in an unauthenticated HTTP request triggers heap corruption → RCE as root. Fortinet rushes the patch after private conversations with Lexfo.

Key data:

• Censys measures around 490,000 FortiGate devices with SSL-VPN exposed to the internet at advisory time.
• Fortinet states it’s unaware of active exploitation at patch time, though public PoCs appear less than a week later.
• Fortinet urges patching with unusual urgency — it even publishes its own blog reminding admins that unpatched devices are at “high probability of compromise”.

Source: https://www.fortinet.com/blog/threat-research/analysis-of-cve-2023-27997-and-clarifications-on-volt-typhoon-campaign

CVE-2023-20887 — VMware Aria Operations for Networks

7 June. Pre-auth RCE in VMware Aria Operations for Networks (formerly vRealize Network Insight) via command injection on a specific API endpoint. CVSS 9.8. Exploited in the wild within a week of the advisory; public PoC on GitHub the day after the patch.

The bug is in the same family as many this year: unsanitised input concatenated into a shell. Classic pattern, enterprise vendor, public exposure by default. CISA adds it to KEV on 22 June.

Source: https://www.vmware.com/security/advisories/VMSA-2023-0012.html

Diffusion: LLM agents with tool use in production

June 2023 is the first month with live agents running in production with tool use. Notable cases:

• ChatGPT plugins (launched in March, now for Plus users): browsing, code interpreter, third-party plugins (Expedia, Kayak, Wolfram, Zapier, …).
• GitHub Copilot Chat available in enterprise beta.
• Bing Chat consolidated in Edge with tools (search, summarisation, image generation via DALL-E).
• LangChain established as the dominant agent framework — explosion of tutorials and side projects.

For AI security, the central problem we saw in March–April (markdown exfil) gets worse: now the model not only writes markdown, it also invokes functions. An indirect injection arriving through a URL browsing reads can fire a Zapier that sends an email, a Notion that reads/writes notes, a Make that triggers a workflow. The attack surface goes from “exfiltrate context” to “execute authorised actions with the user’s privileges”.

Johann Rehberger (Embrace The Red) keeps publishing cases. Simon Willison summarises the problem in his prompt-injection tag. Specific hardening guides don’t exist yet — the whole field is learning in production.

Rest of the month

• CVE-2023-32434 and CVE-2023-32435 — Apple patches two iOS zero-days used by Operation Triangulation (covered in the May bulletin).
• CVE-2023-29336 — Win32k EoP zero-day, June Patch Tuesday.
• Microsoft Outlook Online RCE chains research (not exploitable in final product, but interesting).
• Helsinki Education breach — confirmation of an earlier attack (March) affecting data on 80,000 students.

Cross-cutting pattern

Cl0p has pulled off two serious zero-days in six months (GoAnywhere in February, MOVEit in June). The pattern is stable: focus on managed file transfer, pre-auth zero-day via SQLi or deserialisation, mass exfil, extortion without encryption. If your organisation runs any enterprise MFT (Cleo, IBM Aspera, Globalscape EFT, Serv-U), investment in a product security review and reducing public exposure is worth more than any additional endpoint control.

In AI security, the month’s risk is in agents with tool use, not in the conversation itself. Any LLM integration with the ability to send emails / make HTTP requests / create tickets requires threat modelling it as a confused deputy — because it is one.