Another Unauthenticated Critical SQLi Flaw Found in MOVEit Transfer Software
Progress Software has announced the discovery and patching of a critical SQL injection vulnerability in MOVEit Transfer, a popular piece of software used for secure file transfers. Additionally, Progress Software has patched two other high-severity vulnerabilities.
Identified SQL injection vulnerabilities, marked as CVE-2023-36934potentially allowing unauthenticated attackers to gain unauthorized access to the MOVEit Transfer database.
SQL injection vulnerabilities are well-known and dangerous security flaws that allow attackers to manipulate databases and run any code they want. An attacker can send a specially designed payload to specific endpoints of the affected application, which can modify or expose sensitive data in the database.
The reason CVE-2023-36934 is so critical is that it can be exploited without logging in. This means that even an attacker without valid credentials could potentially exploit the vulnerability. However, to date, there have been no reports of this particular vulnerability being actively used by attackers.
This discovery comes after a recent series of cyberattacks that used a different SQL injection vulnerability (CVE-2023-34362) to target MOVEit Transfers with the Clop ransomware. These attacks result in data theft and extortion of money from affected organizations.
This latest security update from Progress Software also addresses two other high-severity vulnerabilities: CVE-2023-36932 and CVE-2023-36933.
CVE-2023-36932 is a SQL injection flaw that could be exploited by a logged-in attacker to gain unauthorized access to the MOVEit Transfer database. CVE-2023-36933, on the other hand, is a vulnerability that could allow an attacker to unexpectedly kill the Transfer program MOVEit.
🔐 Privileged Access Management: Learn How to Beat Key Challenges
Discover different approaches to conquering Privileged Account Management (PAM) challenges and enhance your privileged access security strategy.
Researchers from HackerOne and Trend Micro’s Zero Day Initiative responsibly reported to Progress Software about this vulnerability.
This vulnerability affects several versions of MOVEit Transfer, including 12.1.10 and earlier, 13.0.8 and earlier, 13.1.6 and earlier, 14.0.6 and earlier, 14.1.7 and earlier, and 15.0.3 and older long.
Progress Software has provided the necessary updates for all major MOVEit Transfer versions. Users are strongly advised to update MOVEit Transfer to the latest version to mitigate the risks posed by this vulnerability.
