CVE-2017-6195 – CVE-2017-6195 is a critical SQL injection vulne... (How to Fix)

Q: What is the severity of CVE-2017-6195?

CVE-2017-6195 has a CVSS score of 9.8 (CRITICAL). CVE-2017-6195 is a critical SQL injection vulnerability in Ipswitch MOVEit Transfer (formerly DMZ) that allows attackers to execute arbitrary SQL commands without authentication. This affects organizations using vulnerable versions of MOVEit Transfer or MOVEit DMZ for secure file transfer. Successful exploitation could lead to complete compromise of the database and potentially the underlying server.

📋 TL;DR

CVE-2017-6195 is a critical SQL injection vulnerability in Ipswitch MOVEit Transfer (formerly DMZ) that allows attackers to execute arbitrary SQL commands without authentication. This affects organizations using vulnerable versions of MOVEit Transfer or MOVEit DMZ for secure file transfer. Successful exploitation could lead to complete compromise of the database and potentially the underlying server.

💻 Affected Systems

Products:

Ipswitch MOVEit Transfer
Ipswitch MOVEit DMZ

Versions: All versions before MOVEit Transfer 2017 9.0.0.201, MOVEit DMZ 8.3.0.30, and MOVEit DMZ 8.2.0.20

Operating Systems: Windows (primary platform)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all default installations of vulnerable versions. No special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, privilege escalation, and potential remote code execution on the underlying server.

🟠

Likely Case

Database information disclosure, data manipulation, and potential authentication bypass to access sensitive files.

🟢

If Mitigated

Limited impact with proper network segmentation, WAF rules blocking SQL injection patterns, and database hardening.

🌐 Internet-Facing: HIGH - Pre-authentication vulnerability on internet-facing file transfer systems makes exploitation trivial.

🏢 Internal Only: MEDIUM - Still significant risk from internal threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Blind SQL injection allows exploitation without seeing results directly. Public technical details available in referenced advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: MOVEit Transfer 2017 9.0.0.201, MOVEit DMZ 8.3.0.30, or MOVEit DMZ 8.2.0.20

Vendor Advisory: http://ft.ipswitch.com/rs/751-HBN-596/images/Ipswitch-Security-Bulletin-FT-Vulnerability.pdf

Restart Required: Yes

Instructions:

1. Download the appropriate patch from Ipswitch support portal. 2. Backup current installation and database. 3. Apply the patch following vendor instructions. 4. Restart the MOVEit service. 5. Verify the version is updated.

🔧 Temporary Workarounds

Web Application Firewall Rules

all

Implement WAF rules to block SQL injection patterns targeting MOVEit endpoints

WAF-specific rules to block SQL injection patterns in POST/GET parameters

Network Segmentation

all

Restrict access to MOVEit servers to only trusted IP addresses

firewall rules to limit access to specific source IP ranges

🧯 If You Can't Patch

Isolate the MOVEit server in a separate network segment with strict access controls
Implement database monitoring and alerting for suspicious SQL queries

🔍 How to Verify

Check if Vulnerable:

Check MOVEit version in admin interface or via file properties. Compare against vulnerable versions list.

Check Version:

Check MOVEit admin interface → System Information or examine file properties of MOVEit executables

Verify Fix Applied:

Verify version number matches patched versions: 9.0.0.201 for MOVEit Transfer 2017, 8.3.0.30 or 8.2.0.20 for MOVEit DMZ

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in MOVEit logs
Multiple failed authentication attempts followed by SQL-like patterns in requests

Network Indicators:

SQL injection patterns in HTTP requests to MOVEit endpoints
Unusual database queries from MOVEit application server

SIEM Query:

source="moveit.logs" AND ("sql" OR "injection" OR "syntax error" OR "union select")

📊 Metadata

CVE ID: CVE-2017-6195

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: May 18, 2017

Last Updated: April 20, 2025

🔗 References

http://ft.ipswitch.com/rs/751-HBN-596/images/Ipswitch-Security-Bulletin-FT-Vulnerability.pdf Patch,Vendor Advisory
https://www.siberas.de/assets/papers/ssa-1705_IPSWITCH_SQLinjection.txt Third Party Advisory
http://ft.ipswitch.com/rs/751-HBN-596/images/Ipswitch-Security-Bulletin-FT-Vulnerability.pdf Patch,Vendor Advisory
https://www.siberas.de/assets/papers/ssa-1705_IPSWITCH_SQLinjection.txt Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-6195, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Moveit Dmz by Ipswitch

Moveit Dmz by Ipswitch

Moveit Dmz by Ipswitch

Moveit Transfer 2017 by Ipswitch

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Web Application Firewall Rules

Network Segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities