CVE-2023-36932
Published: 05 July 2023
Summary
CVE-2023-36932 is a high-severity SQL Injection (CWE-89) vulnerability in Progress Moveit Transfer. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 5.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2023-36932 is a set of SQL injection flaws (CWE-89) affecting the web application component of Progress MOVEit Transfer prior to versions 2020.1.11, 2021.0.9, 2021.1.7, 2022.0.7, 2022.1.8, and 2023.0.4. The issues reside in multiple application endpoints that accept attacker-controlled input without adequate sanitization, enabling direct interaction with the backend database.
An authenticated attacker with low-privileged MOVEit Transfer credentials can send a crafted request to a vulnerable endpoint. Successful exploitation grants the ability to read and modify arbitrary database contents, corresponding to the observed CVSS 8.1 rating that reflects network-accessible impact on confidentiality and integrity without requiring user interaction.
Progress has released service packs dated July 2023 that remediate the vulnerabilities; the advisories direct administrators to apply the listed updates from the MOVEit Transfer download page or the associated community article. The EPSS score has remained in the 0.14–0.18 range without a pronounced post-disclosure climb.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-40852
Vulnerability details
In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an authenticated attacker to gain unauthorized…
more
access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.