Progress Software has announced that it has discovered and patched a critical SQL injection vulnerability in MOVEit Transfer, a popular software used for secure file transfers. In addition, Progress Software also patched two other high-severity vulnerabilities in him.
Identified SQL injection vulnerabilities tagged as CVE-2023-36934an unauthenticated attacker could gain unauthorized access to the MOVEit Transfer database.
SQL injection vulnerabilities are well-known and dangerous security flaws that allow attackers to manipulate databases and execute arbitrary code. An attacker could send a specially designed payload to specific endpoints of the affected application to modify or expose sensitive data in the database.
The reason CVE-2023-36934 is so important is that it can be exploited without logging in. This means that an attacker without valid credentials could still exploit this vulnerability. However, at this time there are no reports of this particular vulnerability being actively used by attackers.
The discovery comes after a series of recent cyberattacks targeting MOVEit Transfer with Clop ransomware via another SQL injection vulnerability (CVE-2023-34362). These attacks stole data and extorted money from affected organizations.
This latest security update from Progress Software also addresses two other high-severity vulnerabilities, CVE-2023-36932 and CVE-2023-36933.
CVE-2023-36932 is a SQL injection flaw that a logged-in attacker can exploit to gain unauthorized access to the MOVEit Transfer database. CVE-2023-36933, on the other hand, is a vulnerability that could allow an attacker to unexpectedly shut down her MOVEit Transfer program.
🔐 Privileged Access Management: Learn How to Overcome Key Challenges
Discover different approaches to overcoming the challenges of privileged account management (PAM) and leveling up your privileged access security strategy.
Researchers at HackerOne and Trend Micro’s Zero Day Initiative responsibly reported these vulnerabilities to Progress Software.
These vulnerabilities affect multiple MOVEit Transfer versions including 12.1.10 and earlier, 13.0.8 and earlier, 13.1.6 and earlier, 14.0.6 and earlier, 14.1.7 and earlier, and 15.0.3 and earlier.
Progress Software has made the necessary updates available for all major MOVEit Transfer versions. We strongly recommend updating to the latest version of MOVEit Transfer to mitigate the risks posed by these vulnerabilities.