Critical SQL Injection Vulnerabilities Uncovered in MOVEit Transfer

July 6, 2023

Progress Software has issued an urgent notification to its clients regarding a critical SQL injection vulnerability in its MOVEit Transfer managed file transfer solution, identified as CVE-2023-36934. This vulnerability could potentially enable attackers to extract data from customers' databases. The vulnerability is a serious threat to multiple versions of Progress MOVEit Transfer, specifically versions released before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4). The risk arises from a SQL injection vulnerability within the MOVEit Transfer web application. An unauthenticated attacker could exploit this vulnerability to gain unauthorized access to the MOVEit Transfer database by submitting a specially crafted payload to a MOVEit Transfer application endpoint, which could result in unauthorized alteration and exposure of MOVEit database content. Guy Lederfein of Trend Micro discovered this vulnerability.

Two more vulnerabilities, identified as CVE-2023-36932 and CVE-2023-36933, are also considered high severity. CVE-2023-36932 affects multiple versions of MOVEit Transfer and could be exploited by an authenticated attacker by injecting a malicious payload, leading to unauthorized access, alteration, and disclosure of database content. This vulnerability was discovered by HackerOne’s cchav3z, q5ca, and nicolas_zilio.

CVE-2023-36933, another high-risk threat, can cause an unhandled exception in the MOVEit Transfer application, resulting in unexpected termination. This vulnerability affects versions of MOVEit Transfer released before 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4). HackerOne’s jameshorseman discovered this vulnerability.

Patches for these vulnerabilities are available for certain versions of MOVEit Transfer.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.