Cyber Resilience

CVE-2023-36934

Critical

Published: 05 July 2023

Published
05 July 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.9128 99.7th percentile
Risk Priority 73 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-36934 is a critical-severity SQL Injection (CWE-89) vulnerability in Progress Moveit Transfer. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2023-36934 is a SQL injection vulnerability in the Progress MOVEit Transfer web application, present in all releases before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4). The flaw exists in an application endpoint and carries a CVSS 3.1 score of 9.1, reflecting network-accessible attack complexity that requires no authentication or user interaction.

An unauthenticated remote attacker can submit a specially crafted payload to the affected endpoint, enabling arbitrary modification and disclosure of MOVEit Transfer database contents. The weakness is tracked as CWE-89.

Progress security advisories direct customers to install the July 2023 service packs that remediate the issue across the listed branches. The associated EPSS score currently stands at 0.9128 with a recorded peak of 0.9210.

EU & UK References

Vulnerability details

In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized…

more

access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content.

CWE(s)

Related Threats

Threat-Actor AttributionAI

Cl0p
Cl0p ransomware exploited this MOVEit Transfer SQLi zero-day in 2023 mass campaign (Mandiant, Unit 42, Microsoft reports)

Affected Assets

progress
moveit transfer
≤ 12.1.11 · 13.0.0 — 13.0.9 · 13.1.0 — 13.1.7

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References