CVE-2021-33894 – This SQL injection vulnerability in Progress MO... (How to Fix)

Q: What is the severity of CVE-2021-33894?

CVE-2021-33894 has a CVSS score of 8.8 (HIGH). This SQL injection vulnerability in Progress MOVEit Transfer allows authenticated attackers to execute arbitrary SQL commands against the database. Affected organizations using vulnerable versions could have their database contents exposed, altered, or deleted. The vulnerability requires authentication but poses significant risk to data confidentiality and integrity.

📋 TL;DR

This SQL injection vulnerability in Progress MOVEit Transfer allows authenticated attackers to execute arbitrary SQL commands against the database. Affected organizations using vulnerable versions could have their database contents exposed, altered, or deleted. The vulnerability requires authentication but poses significant risk to data confidentiality and integrity.

💻 Affected Systems

Products:

Progress MOVEit Transfer

Versions: Before 2019.0.6 (11.0.6), 2019.1.x before 2019.1.5 (11.1.5), 2019.2.x before 2019.2.2 (11.2.2), 2020.x before 2020.0.5 (12.0.5), 2020.1.x before 2020.1.4 (12.1.4), 2021.x before 2021.0.1 (13.0.1)

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the MOVEit.DMZ.WebApp component. Requires authenticated access to exploit.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data exfiltration, data destruction, and potential lateral movement to other systems via database connections.

🟠

Likely Case

Unauthorized data access and potential data manipulation by authenticated malicious users or compromised accounts.

🟢

If Mitigated

Limited impact with proper authentication controls, database permissions, and network segmentation in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access but SQL injection is a well-understood attack vector with many available tools.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2019.0.6 (11.0.6), 2019.1.5 (11.1.5), 2019.2.2 (11.2.2), 2020.0.5 (12.0.5), 2020.1.4 (12.1.4), 2021.0.1 (13.0.1) or later

Vendor Advisory: https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-June-2021

Restart Required: Yes

Instructions:

1. Download appropriate patch from Progress support portal. 2. Backup current installation. 3. Apply patch following vendor instructions. 4. Restart MOVEit Transfer services. 5. Verify successful update.

🔧 Temporary Workarounds

Database Permission Restriction

all

Limit database user permissions to minimum required for application functionality

Network Segmentation

all

Isolate MOVEit Transfer database from other critical systems

🧯 If You Can't Patch

Implement strict authentication controls and monitor for suspicious account activity
Deploy web application firewall with SQL injection protection rules

🔍 How to Verify

Check if Vulnerable:

Check MOVEit Transfer version in administrative interface or installation directory

Check Version:

Check via MOVEit Transfer web interface: Admin > System > About

Verify Fix Applied:

Verify version number matches patched versions listed in vendor advisory

📡 Detection & Monitoring

Log Indicators:

Unusual SQL query patterns in database logs
Multiple failed authentication attempts followed by successful login

Network Indicators:

Unusual database connection patterns from MOVEit server
Large data transfers from database

SIEM Query:

source="mssql" OR source="mysql" AND (query="UNION" OR query="SELECT * FROM" OR query="DROP" OR query="DELETE")

📊 Metadata

CVE ID: CVE-2021-33894

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: June 9, 2021

Last Updated: November 21, 2024

🔗 References

https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-June-2021 Patch,Vendor Advisory
https://www.progress.com/moveit Product,Vendor Advisory
https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-June-2021 Patch,Vendor Advisory
https://www.progress.com/moveit Product,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-33894, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Moveit Transfer by Progress

Moveit Transfer by Progress

Moveit Transfer by Progress

Moveit Transfer by Progress

Moveit Transfer by Progress

Moveit Transfer by Progress

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Database Permission Restriction

Network Segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities