May 30
2023
Jun 2
Jun 5
Jun 8
Jun 11
Jun 14
Jun 17
Jun 20
Jun 23
Jun 26
Jun 29
Jul 2
Jul 5
Jul 8
Jul 11
Jul 14
20%
30%
40%
50%
60%
70%
80%
90%
100%
CVE_2023_34362
CVE_2023_35036
CVE_2023_35708
CVE_2023_3693X
Figure 1: Maximum Count of Vulnerable Organizations as % of Organizations using MOVEit Transfer at time of Announcement
Dotted red lines represent announcement dates for CVE-2023-34362, CVE-2023-35036, CVE-2023-35708, and CVE-2023-3693X (left to right). Bitsight scans
started on June 8th, therefore the 100% initial value is an assumption that all organizations using MOVEit instances were vulnerable on May 31st.
However, subsequent initial values (values lying on dotted red lines) reflect the observed number of organizations identified as vulnerable as a
percentage of organizations using MOVEit on that day. I.e., roughly 95% of organizations identified as using MOVEit instances on June 9th were
vulnerable to CVE-2023-35036; this value is less than 100% because by the time of our scan on the announcement date of CVE-2023-35036, some
organizations have already remediated the vulnerability.
plotly-logomark