CVE-2023-34362
Published: 02 June 2023
Summary
CVE-2023-34362 is a critical-severity SQL Injection (CWE-89) vulnerability in Progress Moveit Transfer. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Progress MOVEit Transfer contains a SQL injection vulnerability in its web application affecting all versions prior to 2021.0.6, 2021.1.4, 2022.0.4, 2022.1.5, and 2023.0.1, including older unsupported releases. The flaw permits an unauthenticated remote attacker to interact directly with the underlying database engine, whether MySQL, Microsoft SQL Server, or Azure SQL, and to extract structural information or execute statements that modify or remove database contents.
An attacker can reach the vulnerability over HTTP or HTTPS without credentials or user interaction. Successful exploitation yields full read, write, and delete access to database elements, enabling data theft, integrity violations, or denial-of-service conditions consistent with the CVSS 9.8 rating.
Vendor guidance published by Progress directs customers to apply the listed patches immediately; organizations unable to upgrade are advised to restrict external access to MOVEit Transfer instances until remediation can be completed. Public exploit code and detailed technical write-ups have been released, confirming the issue’s practical impact.
The vulnerability was exploited in the wild during May and June 2023. Its EPSS score remains elevated, with a recorded peak of 0.9717 and a current value of 0.9425, indicating sustained exploitation interest after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-38442
Vulnerability details
In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit…
more
Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions.
- CWE(s)
- KEV Date Added
- 02 June 2023
Related Threats
Threat-Actor AttributionAI
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted input before it is used in database queries, blocking the SQL injection vector in MOVEit.
Mandates prompt installation of vendor patches that eliminate the unsanitized input flaw in all affected MOVEit versions.
Boundary protection mechanisms such as WAF rules can inspect HTTP/HTTPS requests and block or alert on SQL injection patterns targeting the MOVEit web application.