CVE-2023-36934: Critical SQL injection vulnerability in MOVEit Transfer

CVE-2023-36934

Progress Software has issued an urgent warning to customers about newly uncovered critical SQL injection vulnerabilities in its MOVEit Transfer managed file transfer (MFT) solution. These vulnerabilities could potentially allow attackers to pilfer information from unsuspecting customers’ databases.

CVE-2023-36934

The Critical-Severity Vulnerability: CVE-2023-36934

The vulnerability labeled as CVE-2023-36934 poses a critical threat to several versions of Progress MOVEit Transfer. Specifically, this affects releases prior to 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4). The threat here is a SQL injection vulnerability within the MOVEit Transfer web application.

In this scenario, an unauthenticated attacker could potentially exploit this vulnerability to gain unauthorized access to the MOVEit Transfer database. This could be achieved by submitting a specially crafted payload to a MOVEit Transfer application endpoint, resulting in unauthorized modification and exposure of MOVEit database content.

Guy Lederfein of Trend Micro, working with the Zero Day Initiative, is credited with discovering this critical vulnerability.

The High-Severity Threats: CVE-2023-36932 and CVE-2023-36933

The vulnerabilities identified as CVE-2023-36932 and CVE-2023-36933 are considered of high severity. Like the previous vulnerability, CVE-2023-36932 affects multiple versions of MOVEit Transfer released before specific versions. However, in this case, an authenticated attacker could exploit the vulnerability by injecting a malicious payload, leading to unauthorized access, modification, and disclosure of database content. HackerOne’s cchav3z, q5ca, and nicolas_zilio are credited with this discovery.

CVE-2023-36933, the second high-stakes threat, can trigger an unhandled exception in the MOVEit Transfer application, causing it to terminate unexpectedly. This vulnerability affects versions of MOVEit Transfer released before 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4). The discovery of this vulnerability is credited to HackerOne’s jameshorseman.

Protect your system

Below you can find the current list of MOVEit Transfer versions that have a patch available for these new vulnerabilities:

Affected Version Fixed Version (Drop-In DLLs) Documentation Release Notes
MOVEit Transfer 2020.1.6 (12.1.6) or later MOVEit Transfer 2020.1.11 (12.1.11) Download the patch at the link in the Fixed Version column and see the readme.txt file in the zip file for instructions MOVEit Transfer 2020.1.11 Release Notes
MOVEit Transfer 2020.0.x (12.0.x) or older  Must upgrade to a supported version See MOVEit Transfer Upgrade
and Migration Guide
 N/A