CVE-2023-34362: Critical SQL Injection in Progress MOVEit Transfer Demands Immediate Action
Progress MOVEit Transfer contains a SQL injection vulnerability that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database.
FREQUENTLY ASKED
What is CVE-2023-34362 and why does it matter?
CVE-2023-34362 is a critical SQL injection vulnerability in Progress MOVEit Transfer web applications. It matters because it allows unauthenticated attackers to gain unauthorized access to the database, potentially leading to data exfiltration, alteration, or deletion. This flaw has a CVSS score of 9.8 and is actively being exploited in the wild by ransomware groups, making it a severe threat to enterprise data integrity.
Which versions of MOVEit Transfer are affected?
The vulnerability affects MOVEit Transfer versions before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1). Specifically, versions like 2020.1, 2021.0, 2022.0.0, and older unsupported versions such as 2020.0 and 2019x are also confirmed to be impacted and vulnerable to unauthenticated SQL injection attacks via HTTP or HTTPS.
Has a patch been released for CVE-2023-34362?
Yes, Progress Software has released patches for all supported versions of MOVEit Transfer. Users should immediately update to MOVEit Transfer 2021.0.6, 2021.1.4, 2022.0.4, 2022.1.5, or 2023.0.1. Progress has provided detailed instructions and links to these updates on their community portal to help organizations secure their deployments against this critical SQL injection vulnerability.
What is the remediation deadline and what does it mean for compliance?
The remediation deadline is June 23, 2023. For federal agencies and organizations following CISA guidelines, this deadline marks the required date for applying patches as part of Binding Operational Directive (BOD) 22-01. Failing to meet this deadline means the organization remains non-compliant and exposed to a high-risk vulnerability that is actively being exploited by sophisticated threat actors for ransomware activities.
How to check if a MOVEit Transfer instance is affected?
To determine if your instance is affected, check the installed version of MOVEit Transfer. If the version is earlier than 13.0.6, 13.1.4, 14.0.4, 14.1.5, or 15.0.1, the system is vulnerable. Additionally, administrators should review web logs for unusual HTTP/HTTPS traffic and check for indicators of compromise (IOCs) associated with this CVE, as detailed in the CISA AA23-158A advisory.
CVE-2023-34362 is a critical unauthenticated SQL injection vulnerability in Progress MOVEit Transfer, a widely used managed file transfer (MFT) solution. With a CVSS score of 9.8, this flaw allows attackers to gain access to the underlying database (MySQL, Microsoft SQL Server, or Azure SQL) via the web application interface. Given that MFT solutions are central repositories for sensitive corporate data, the exploitation of this vulnerability poses a severe risk of mass data exfiltration and ransomware deployment. CISA and Progress have confirmed active exploitation in the wild, primarily by sophisticated threat actors.
Vulnerability Profile
Field
Value
CVE ID
CVE-2023-34362
Affected Product & Versions
MOVEit Transfer versions before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1)
CVSS Score & Severity
9.8 (CRITICAL)
CVSS Version
3.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
CWE IDs
CWE-89
Date Disclosed
2023-06-02
Remediation Deadline
2023-06-23
SSVC Exploitation Status
Active
Known Ransomware Use
Yes
EPSS Score & Percentile
0.94254 (99.9%)
Patch Available
Yes
Technical Deep Dive into CVE-2023-34362
The core of CVE-2023-34362 lies in CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'). In the context of MOVEit Transfer, this vulnerability manifests within the web application's handling of HTTP/HTTPS requests. Attackers do not require any prior authentication or local access to trigger the flaw; they simply need to send a specially crafted payload to a vulnerable endpoint.
The Attack Chain
SQL injection occurs when untrusted data is concatenated directly into a database query without proper sanitization or parameterization. In this specific case, the MOVEit Transfer web interface fails to validate input before passing it to the database engine. Depending on whether the environment utilizes MySQL, MS SQL, or Azure SQL, the impact varies slightly but remains catastrophic across all platforms.
Reconnaissance: Attackers identify publicly exposed MOVEit Transfer instances, which are often indexed by services like Shodan or Censys.
Injection: The attacker sends a malicious SQL command via a standard web request (HTTP/HTTPS). Because the vulnerability is unauthenticated, no login credentials are required.
Inference and Execution: By leveraging "blind" SQL injection techniques, the attacker can infer the database structure and content. More dangerously, they can execute statements to modify or delete data, or escalate their privileges within the application.
Data Exfiltration: In many observed attacks, the SQL injection is used to gain administrative sessions, which are then utilized to download sensitive files stored on the MFT platform.
Attack Surface and Blast Radius
Managed File Transfer systems are high-value targets because they act as the "digital post office" for an organization. They store and transit sensitive information, including PII, financial records, and intellectual property. The blast radius for CVE-2023-34362 is total; an attacker gaining database access can effectively control the entire application, compromise all stored data, and potentially move laterally if the database server or application server is inadequately segmented from the rest of the network.
Who Is Affected?
This vulnerability impacts a broad range of organizations across the globe, particularly those in the financial, healthcare, and government sectors that rely on MOVEit Transfer for secure file movement. Specifically, any organization running the following versions is at immediate risk:
MOVEit Transfer 2023.0.0 (15.0.0)
MOVEit Transfer 2022.1.x (14.1.x)
MOVEit Transfer 2022.0.x (14.0.x)
MOVEit Transfer 2021.1.x (13.1.x)
MOVEit Transfer 2021.0.x (13.0.x)
Older versions such as 2020.x and 2019.x are also affected.
Compliance Note: For U.S. Federal agencies and entities following the Cybersecurity and Infrastructure Security Agency (CISA) guidelines, CVE-2023-34362 was added to the Known Exploited Vulnerabilities (KEV) catalog. Under Binding Operational Directive (BOD) 22-01, these organizations were required to apply the remediation steps by the June 23, 2023 deadline. Failure to patch by this date indicates a significant compliance gap and extreme security risk.
Official Remediation Steps
Progress Software has provided a structured response plan to mitigate this threat. Organizations should follow these steps in order:
Disable HTTP and HTTPS Traffic: Immediately disable all traffic to your MOVEit Transfer environment on ports 80 and 443. This prevents attackers from reaching the vulnerable web interface while you prepare for patching.
Review and Delete Unauthorized Files: Check the C:\MOVEitTransfer\wwwroot\ directory for any unexpected files, particularly those with a .aspx extension, which may indicate the presence of a web shell.
Apply Security Patches: Download and install the relevant patch for your version from the Progress Community Portal.
Update to 2023.0.1 (15.0.1)
Update to 2022.1.5 (14.1.5)
Update to 2022.0.4 (14.0.4)
Update to 2021.1.4 (13.1.4)
Update to 2021.0.6 (13.0.6)
Reset Service Account Credentials: After patching, rotate credentials for the MOVEit Transfer service account and any database accounts used by the application.
Enable Traffic: Once the patch is verified, restore HTTP and HTTPS traffic to the instance.
Security Best Practices for Managed File Transfer
To prevent future SQL injection attacks and secure MFT environments, organizations should adopt the following defensive strategies:
Implement Parameterized Queries: Ensure all custom integrations or scripts interacting with the MOVEit database use prepared statements rather than dynamic SQL string building.
Network Segmentation: Isolate MFT servers from the general internal network. Only allow specific, necessary traffic to and from the MFT instance, ideally through a Web Application Firewall (WAF).
WAF Rule Enforcement: Configure Web Application Firewalls to intercept and block common SQL injection patterns (e.g., ' OR 1=1, UNION SELECT) at the edge.
Principle of Least Privilege: Configure the database service account so that it only has the minimum permissions necessary to operate the application. It should never have DBA or SYSADMIN rights.
Enhanced Logging and Monitoring: Monitor web server logs for high frequencies of 404 or 500 errors, and audit database logs for unusual query patterns or unauthorized access attempts from the application server IP.
Regular Vulnerability Scanning: Use automated tools to scan externally facing applications for CWE-89 and other OWASP Top 10 vulnerabilities on a continuous basis.
Egress Filtering: Limit the ability of the MFT server to initiate outbound connections to the internet, which can prevent the downloading of secondary malware or the exfiltration of data to attacker-controlled servers.