top of page

Progress Software Patches Critical SQL Injection Vulnerability in MOVEit Transfer

Progress Software, an international provider of application development and digital experience technologies, has recently reported the discovery of a critical SQL injection vulnerability within their popular secure file transfer software, MOVEit Transfer. This flaw, along with two other high-priority vulnerabilities, have been successfully patched by the company. SQL injection vulnerabilities pose a significant danger within cybersecurity realm. Essentially, they give cyber attackers the ability to manipulate and control databases, executing any code at their discretion. This typically involves transmitting specifically tailored payloads to particular endpoints within the affected application which can potentially lead to data manipulation or even data exposure. In the case of the identified SQL injection vulnerability within MOVEit Transfer, known in cybersecurity communities as CVE-2023-36934, the risk factor was considered particularly high due to the potential for exploitation even by unauthenticated assailants. Simply put, even those lacking valid login credentials could potentially take advantage of this flaw. As of yet, no known instances of attacks utilizing this vulnerability have been reported. The discovery of CVE-2023-36934 follows in the wake of a sequence of recent cyberattacks that leveraged a separate SQL injection vulnerability, known as CVE-2023-34362. This earlier flaw was used to target MOVEit Transfer systems with the threat of 'Clop' ransomware, an insidious malware strain that locks files and demands a ransom fee. The attacks resulted in major data compromises and financial extortion from various affected businesses. In addition to resolving the CVE-2023-36934 vulnerability, the recent patch update from Progress Software addresses two other notable vulnerabilities identified as CVE-2023-36932 and CVE-2023-36933. While CVE-2023-36932, another SQL injection flaw, is situated at an elevated risk as it can be capitalized on by authenticated attackers, the third vulnerability (CVE-2023-36933) permits attackers to suddenly terminate the MOVEit Transfer software program. These vulnerabilities were discovered and reported to Progress Software by cybersecurity research teams from HackerOne and Trend Micro's Zero Day Initiative in an example of responsible disclosure. All current MOVEit Transfer versions, including 12.1.10 and prior, 13.0.8 and prior, 13.1.6 and before, 14.0.6 and prior, 14.1.7 and prior, and 15.0.3 and prior, can potentially be impacted by these vulnerabilities. Progress Software has released essential updates for all major versions of MOVEit Transfer. Software users are strongly encouraged to update their systems to the latest version available to alleviate the threats presented by these vulnerabilities. This turn of events only reinforces the vital importance of up-to-date cybersecurity knowledge and proactive measures in maintaining digital safety. Stay informed and strengthen your cybersecurity initiatives by subscribing to daily cybersecurity news, insights, and practical tips.


bottom of page