CVE-2023-35036
Published: 12 June 2023
Summary
CVE-2023-35036 is a critical-severity SQL Injection (CWE-89) vulnerability in Progress Moveit Transfer. Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 3.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2023-35036 is a SQL injection vulnerability affecting the web application component of Progress MOVEit Transfer in all releases prior to 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), and 2023.0.2 (15.0.2). The flaw, tracked under CWE-89, resides in application endpoints that process untrusted input and permits direct manipulation of backend database queries.
An unauthenticated remote attacker can submit a specially crafted payload to a vulnerable endpoint, resulting in unauthorized disclosure or modification of MOVEit Transfer database contents. The issue carries a CVSS 3.1 score of 9.1, reflecting network attack vector, low complexity, and the absence of required privileges or user interaction.
Vendor advisories from Progress recommend immediate upgrade to one of the listed fixed versions to eliminate the affected code paths. The associated EPSS score has reached a peak of 0.3614 with a current value of 0.3024.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-39073
Vulnerability details
In Progress MOVEit Transfer before 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), and 2023.0.2 (15.0.2), SQL injection vulnerabilities have been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit…
more
Transfer's database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content.
- CWE(s)
Related Threats
Threat-Actor AttributionAI
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.