Cyber Resilience

CVE-2023-35036

Critical

Published: 12 June 2023

Published
12 June 2023
Modified
03 January 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.3024 96.8th percentile
Risk Priority 36 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-35036 is a critical-severity SQL Injection (CWE-89) vulnerability in Progress Moveit Transfer. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 3.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2023-35036 is a SQL injection vulnerability affecting the web application component of Progress MOVEit Transfer in all releases prior to 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), and 2023.0.2 (15.0.2). The flaw, tracked under CWE-89, resides in application endpoints that process untrusted input and permits direct manipulation of backend database queries.

An unauthenticated remote attacker can submit a specially crafted payload to a vulnerable endpoint, resulting in unauthorized disclosure or modification of MOVEit Transfer database contents. The issue carries a CVSS 3.1 score of 9.1, reflecting network attack vector, low complexity, and the absence of required privileges or user interaction.

Vendor advisories from Progress recommend immediate upgrade to one of the listed fixed versions to eliminate the affected code paths. The associated EPSS score has reached a peak of 0.3614 with a current value of 0.3024.

EU & UK References

Vulnerability details

In Progress MOVEit Transfer before 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), and 2023.0.2 (15.0.2), SQL injection vulnerabilities have been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit…

more

Transfer's database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content.

CWE(s)

Related Threats

Threat-Actor AttributionAI

Cl0p (G0092)aka TA505
Cl0p ransomware group mass-exploited MOVEit Transfer SQLi zero-days including CVE-2023-35036 (Mandiant, MSFT, Unit 42 reporting).

Affected Assets

progress
moveit transfer
≤ 2021.0.7 · 2021.1.0 — 2021.1.5 · 2022.0.0 — 2022.0.5

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References