CVE-2021-37614 – This SQL injection vulnerability in Progress MO... (How to Fix)

Q: What is the severity of CVE-2021-37614?

CVE-2021-37614 has a CVSS score of 8.8 (HIGH). This SQL injection vulnerability in Progress MOVEit Transfer allows authenticated remote attackers to execute arbitrary SQL queries against the database. Attackers can read, modify, or delete database contents, potentially compromising sensitive file transfer data. Organizations using affected MOVEit Transfer versions before the patched releases are vulnerable.

📋 TL;DR

This SQL injection vulnerability in Progress MOVEit Transfer allows authenticated remote attackers to execute arbitrary SQL queries against the database. Attackers can read, modify, or delete database contents, potentially compromising sensitive file transfer data. Organizations using affected MOVEit Transfer versions before the patched releases are vulnerable.

💻 Affected Systems

Products:

Progress MOVEit Transfer

Versions: All versions before 2019.0.7 (11.0.7), 2019.1.6 (11.1.6), 2019.2.3 (11.2.3), 2020.0.6 (12.0.6), 2020.1.5 (12.1.5), and 2021.0.3 (13.0.3)

Operating Systems: Windows Server (primary deployment)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access. Affects MySQL, Microsoft SQL Server, and Azure SQL database backends.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data exfiltration, data destruction, or full system takeover via privilege escalation.

🟠

Likely Case

Unauthorized access to sensitive file transfer metadata, user credentials, and potentially file contents stored in the database.

🟢

If Mitigated

Limited impact with proper network segmentation, database permissions, and monitoring in place.

🌐 Internet-Facing: HIGH - MOVEit Transfer is often exposed to the internet for file sharing, making it a prime target.

🏢 Internal Only: MEDIUM - Internal attackers with valid credentials could still exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

SQL injection vulnerabilities are commonly exploited. Requires authenticated access but exploitation is straightforward once credentials are obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2019.0.7 (11.0.7), 2019.1.6 (11.1.6), 2019.2.3 (11.2.3), 2020.0.6 (12.0.6), 2020.1.5 (12.1.5), or 2021.0.3 (13.0.3) depending on your version

Vendor Advisory: https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-2021

Restart Required: Yes

Instructions:

1. Download the appropriate patch from Progress Software support portal. 2. Backup your MOVEit Transfer installation and database. 3. Apply the patch following vendor instructions. 4. Restart MOVEit Transfer services. 5. Verify successful update.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict access to MOVEit Transfer to only trusted IP addresses and networks.

Database Permission Reduction

all

Limit database user permissions to only necessary operations (SELECT, INSERT, UPDATE on specific tables).

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach the MOVEit Transfer interface
Enhance monitoring of database queries and implement SQL injection detection at the application or database layer

🔍 How to Verify

Check if Vulnerable:

Check MOVEit Transfer version in web interface (Admin > System > About) or installation directory.

Check Version:

Check web interface at /admin/about.aspx or examine MOVEit installation directory version files.

Verify Fix Applied:

Verify version number matches patched versions listed in affected_systems.versions.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in application logs
Multiple failed authentication attempts followed by successful login
Unusual database query patterns from MOVEit application user

Network Indicators:

SQL injection payloads in HTTP POST requests to MOVEit endpoints
Unusual outbound database connections from MOVEit server

SIEM Query:

source="moveit_logs" AND ("sql error" OR "syntax error" OR "unclosed quotation")

📊 Metadata

CVE ID: CVE-2021-37614

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: August 5, 2021

Last Updated: November 21, 2024

🔗 References

https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-2021 Patch,Vendor Advisory
https://docs.ipswitch.com/MOVEit/Transfer2019/ReleaseNotes/en/index.htm#48648.htm Release Notes,Vendor Advisory
https://docs.ipswitch.com/MOVEit/Transfer2020/ReleaseNotes/en/index.htm#50951.htm Release Notes,Vendor Advisory
https://docs.ipswitch.com/MOVEit/Transfer2021/ReleaseNotes/en/index.htm#link8 Vendor Advisory
https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-2021 Patch,Vendor Advisory
https://docs.ipswitch.com/MOVEit/Transfer2019/ReleaseNotes/en/index.htm#48648.htm Release Notes,Vendor Advisory
https://docs.ipswitch.com/MOVEit/Transfer2020/ReleaseNotes/en/index.htm#50951.htm Release Notes,Vendor Advisory
https://docs.ipswitch.com/MOVEit/Transfer2021/ReleaseNotes/en/index.htm#link8 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37614, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Moveit Transfer by Progress

Moveit Transfer by Progress

Moveit Transfer by Progress

Moveit Transfer by Progress

Moveit Transfer by Progress

Moveit Transfer by Progress

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Network Segmentation

Database Permission Reduction

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities