Actively exploited in the wild
Progress MOVEit Transfer SQL Injection Vulnerability
Progress — MOVEit Transfer · Listed in the CISA KEV since 2023-06-02. This indicates confirmed attacks in production environments.
Required action: Apply updates per vendor instructions.
CVE-2023-34362
CriticalCVSS 9.8KEVExploitation Probability (EPSS)
Very high risk100th percentile — higher than 100% of all known CVEs
Summary
A SQL injection vulnerability has been found in the MOVEit Transfer web application before version 2021.0.6, which could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. An attacker may be able to infer information about the structure and contents of the database and execute SQL statements that alter or delete database elements.
Risk Assessment
This vulnerability poses a serious risk to organizations as it allows attackers to access sensitive data and potentially modify or delete it. Exploitation of unpatched systems can lead to significant security breaches.
Recommendation
It is recommended to update MOVEit Transfer to the latest version as soon as possible to mitigate this vulnerability. Additionally, organizations should monitor their systems for unauthorized access attempts and consider implementing additional security measures.
Original NVD description (English source)
In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions.

