Cyber Resilience

CVE-2023-36932

High

Published: 05 July 2023

Published
05 July 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.1412 94.5th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-36932 is a high-severity SQL Injection (CWE-89) vulnerability in Progress Moveit Transfer. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 5.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2023-36932 is a set of SQL injection flaws (CWE-89) affecting the web application component of Progress MOVEit Transfer prior to versions 2020.1.11, 2021.0.9, 2021.1.7, 2022.0.7, 2022.1.8, and 2023.0.4. The issues reside in multiple application endpoints that accept attacker-controlled input without adequate sanitization, enabling direct interaction with the backend database.

An authenticated attacker with low-privileged MOVEit Transfer credentials can send a crafted request to a vulnerable endpoint. Successful exploitation grants the ability to read and modify arbitrary database contents, corresponding to the observed CVSS 8.1 rating that reflects network-accessible impact on confidentiality and integrity without requiring user interaction.

Progress has released service packs dated July 2023 that remediate the vulnerabilities; the advisories direct administrators to apply the listed updates from the MOVEit Transfer download page or the associated community article. The EPSS score has remained in the 0.14–0.18 range without a pronounced post-disclosure climb.

EU & UK References

Vulnerability details

In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an authenticated attacker to gain unauthorized…

more

access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

progress
moveit transfer
≤ 2020.1.11 · 2021.0 — 2021.0.9 · 2021.1.0 — 2021.1.7

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References