CVE-2023-34362

CriticalCISA KEVActive ExploitationPublic PoCRansomware-linked

Published: 02 June 2023

Published

02 June 2023

Modified

27 October 2025

KEV Added

02 June 2023

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.9425 99.9th percentile

Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-34362 is a critical-severity SQL Injection (CWE-89) vulnerability in Progress Moveit Transfer. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

CA-8 Penetration Testing

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

SI-10 Information Input Validation

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

NVD Description

In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit…

Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): CWE-89
KEV Date Added: 02 June 2023

Affected Products

progress

moveit cloud

≤ 14.0.5.45 · 14.1.0.0 — 14.1.6.97 · 15.0.0.0 — 15.0.2.39

progress

moveit transfer

≤ 2021.0.7 · 2021.1.0 — 2021.1.5 · 2022.0.0 — 2022.0.5

CVEs Like This One

CVE-2025-2324Same product: Progress Moveit Transfer

CVE-2025-11235Same product: Progress Moveit Transfer

CVE-2026-5174Same product class: managed file transfer

CVE-2026-4670Same product class: managed file transfer

CVE-2025-13447Same product class: managed file transfer

CVE-2025-13444Same product class: managed file transfer

CVE-2025-54309Same product class: managed file transferboth on KEV

CVE-2025-10035Same product class: managed file transferboth on KEV

CVE-2025-36368Same product class: managed file transfer

CVE-2025-13774Same vendor: Progress

References

http://packetstormsecurity.com/files/172883/MOVEit-Transfer-SQL-Injection-Remote-Code-Execution.html
Third Party Advisory, VDB Entry · cve@mitre.org
http://packetstormsecurity.com/files/173110/MOVEit-SQL-Injection.html
Exploit, Third Party Advisory, VDB Entry · cve@mitre.org
https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
Vendor Advisory · cve@mitre.org
http://packetstormsecurity.com/files/172883/MOVEit-Transfer-SQL-Injection-Remote-Code-Execution.html
Third Party Advisory, VDB Entry · af854a3a-2127-422b-91ae-364da2661108
http://packetstormsecurity.com/files/173110/MOVEit-SQL-Injection.html
Exploit, Third Party Advisory, VDB Entry · af854a3a-2127-422b-91ae-364da2661108
https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
Vendor Advisory · af854a3a-2127-422b-91ae-364da2661108
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-34362
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0