Cyber Resilience

CVE-2023-35708

Critical

Published: 16 June 2023

Published
16 June 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8018 99.1th percentile
Risk Priority 68 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-35708 is a critical-severity SQL Injection (CWE-89) vulnerability in Progress Moveit Transfer. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2023-35708 is a SQL injection vulnerability (CWE-89) affecting the web application component of Progress MOVEit Transfer prior to versions 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3). An unauthenticated attacker can submit a crafted payload to an application endpoint, resulting in unauthorized modification or disclosure of MOVEit database content. The issue carries a CVSS 3.1 score of 9.8.

An unauthenticated remote attacker can exploit the flaw over the network without credentials or user interaction to obtain direct access to the MOVEit Transfer database, enabling both read and write operations on its contents.

Vendor advisories from Progress and CISA recommend immediate upgrade to the fixed releases listed above; Progress also supplies corresponding DLL drop-in updates (2020.1.10, 2021.0.8, 2021.1.6, 2022.0.6, 2022.1.7, and 2023.0.3) for environments that cannot perform full upgrades. The EPSS score has remained high, with a current value of 0.8018 and a peak of 0.8172.

EU & UK References

Vulnerability details

In Progress MOVEit Transfer before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to…

more

MOVEit Transfer's database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content. These are fixed versions of the DLL drop-in: 2020.1.10 (12.1.10), 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3).

CWE(s)

Related Threats

Threat-Actor AttributionAI

Cl0p (G0092)aka TA505
Widely attributed by Mandiant, Microsoft, and CISA to Cl0p's June 2023 mass-exploitation campaign against MOVEit Transfer zero-day.

Affected Assets

progress
moveit transfer
≤ 2020.1.10 · 2021.0.6 — 2021.0.8 · 2021.1.4 — 2021.1.6

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References