Cyber Resilience

CVE-2023-34362

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 02 June 2023

Published
02 June 2023
Modified
27 October 2025
KEV Added
02 June 2023
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9993 100.0th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2023-34362 is a critical-severity SQL Injection (CWE-89) vulnerability in Progress Moveit Transfer. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Progress MOVEit Transfer contains a SQL injection vulnerability in its web application affecting all versions prior to 2021.0.6, 2021.1.4, 2022.0.4, 2022.1.5, and 2023.0.1, including older unsupported releases. The flaw permits an unauthenticated remote attacker to interact directly with the underlying database engine, whether MySQL, Microsoft SQL Server, or Azure SQL, and to extract structural information or execute statements that modify or remove database contents.

An attacker can reach the vulnerability over HTTP or HTTPS without credentials or user interaction. Successful exploitation yields full read, write, and delete access to database elements, enabling data theft, integrity violations, or denial-of-service conditions consistent with the CVSS 9.8 rating.

Vendor guidance published by Progress directs customers to apply the listed patches immediately; organizations unable to upgrade are advised to restrict external access to MOVEit Transfer instances until remediation can be completed. Public exploit code and detailed technical write-ups have been released, confirming the issue’s practical impact.

The vulnerability was exploited in the wild during May and June 2023. Its EPSS score remains elevated, with a recorded peak of 0.9717 and a current value of 0.9425, indicating sustained exploitation interest after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit…

more

Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions.

CWE(s)
KEV Date Added
02 June 2023

Related Threats

Threat-Actor AttributionAI

Cl0p (G0092)aka TA505
Mass exploitation of MOVEit Transfer zero-day in May-June 2023 widely attributed to Cl0p by CISA AA23-158A, Mandiant, and Microsoft.

CVEs Like This One

CVE-2025-2324Same product: Progress Moveit Transfer
CVE-2025-11235Same product: Progress Moveit Transfer
CVE-2026-8488Same product class: managed file transfer
CVE-2025-13444Same product class: managed file transfer
CVE-2026-4670Same product class: managed file transfer
CVE-2026-5174Same product class: managed file transfer
CVE-2025-13447Same product class: managed file transfer
CVE-2026-8487Same product class: managed file transfer
CVE-2026-8486Same product class: managed file transfer
CVE-2026-8485Same product class: managed file transfer

Affected Assets

progress
moveit cloud
≤ 14.0.5.45 · 14.1.0.0 — 14.1.6.97 · 15.0.0.0 — 15.0.2.39
progress
moveit transfer
≤ 2021.0.7 · 2021.1.0 — 2021.1.5 · 2022.0.0 — 2022.0.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted input before it is used in database queries, blocking the SQL injection vector in MOVEit.

prevent

Mandates prompt installation of vendor patches that eliminate the unsanitized input flaw in all affected MOVEit versions.

preventdetect

Boundary protection mechanisms such as WAF rules can inspect HTTP/HTTPS requests and block or alert on SQL injection patterns targeting the MOVEit web application.

References