CVE-2023-36934
📋 TL;DR
This is a critical SQL injection vulnerability in Progress MOVEit Transfer that allows unauthenticated attackers to access and modify the database. All organizations running affected versions of MOVEit Transfer are at risk of data theft and system compromise.
💻 Affected Systems
- Progress MOVEit Transfer
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, data manipulation, privilege escalation, and potential full system takeover.
Likely Case
Unauthorized access to sensitive file transfer data, user credentials, and configuration information stored in the database.
If Mitigated
Limited impact with proper network segmentation, but still potential for data exposure if exploited.
🎯 Exploit Status
Multiple public exploit scripts available. This vulnerability was widely exploited in the wild during the MOVEit Transfer attacks of 2023.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), or 2023.0.4 (15.0.4) depending on your version
Vendor Advisory: https://community.progress.com/s/article/MOVEit-Transfer-2020-1-Service-Pack-July-2023
Restart Required: Yes
Instructions:
1. Identify your current MOVEit Transfer version. 2. Download the appropriate patch from Progress support portal. 3. Apply the patch following Progress documentation. 4. Restart the MOVEit Transfer service. 5. Verify the patch is applied successfully.
🔧 Temporary Workarounds
Network Segmentation
allRestrict access to MOVEit Transfer to only trusted IP addresses and networks
Configure firewall rules to limit inbound traffic to MOVEit Transfer ports (typically 80/443) from authorized sources only
Web Application Firewall
allDeploy WAF with SQL injection protection rules
Configure WAF to block SQL injection patterns and monitor for suspicious database queries
🧯 If You Can't Patch
- Immediately isolate the MOVEit Transfer server from internet access
- Implement strict network segmentation and monitor all database access attempts
🔍 How to Verify
Check if Vulnerable:
Check your MOVEit Transfer version in the admin interface or via the installed files. Compare against affected versions listed above.Check Version:
Check MOVEit admin panel or examine installation directory for version filesVerify Fix Applied:
Verify the version number matches or exceeds the patched versions listed in the fix section. Check that SQL injection attempts are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual database queries in MOVEit logs
- Multiple failed login attempts followed by successful access
- Unexpected SQL syntax in web request logs
Network Indicators:
- SQL injection patterns in HTTP requests to MOVEit endpoints
- Unusual outbound database connections from MOVEit server
SIEM Query:
source="moveit_logs" AND ("sql" OR "database" OR "injection") AND (severity="high" OR severity="critical")