CVE-2023-35708
Published: 16 June 2023
Summary
CVE-2023-35708 is a critical-severity SQL Injection (CWE-89) vulnerability in Progress Moveit Transfer. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2023-35708 is a SQL injection vulnerability (CWE-89) affecting the web application component of Progress MOVEit Transfer prior to versions 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3). An unauthenticated attacker can submit a crafted payload to an application endpoint, resulting in unauthorized modification or disclosure of MOVEit database content. The issue carries a CVSS 3.1 score of 9.8.
An unauthenticated remote attacker can exploit the flaw over the network without credentials or user interaction to obtain direct access to the MOVEit Transfer database, enabling both read and write operations on its contents.
Vendor advisories from Progress and CISA recommend immediate upgrade to the fixed releases listed above; Progress also supplies corresponding DLL drop-in updates (2020.1.10, 2021.0.8, 2021.1.6, 2022.0.6, 2022.1.7, and 2023.0.3) for environments that cannot perform full upgrades. The EPSS score has remained high, with a current value of 0.8018 and a peak of 0.8172.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-39707
Vulnerability details
In Progress MOVEit Transfer before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to…
more
MOVEit Transfer's database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content. These are fixed versions of the DLL drop-in: 2020.1.10 (12.1.10), 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3).
- CWE(s)
Related Threats
Threat-Actor AttributionAI
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.