Experts found new MOVEit Transfer SQL Injection flaws

Progress Software released security updates to fix several new SQL injection vulnerabilities in the MOVEit Transfer application.

Progress Software has released security updates to address new SQL injection vulnerabilities in the MOVEit Transfer application.

An attacker can exploit the SQL injection vulnerabilities in the MOVEit Transfer solution to steal sensitive information.

“SQL Injection (CVE pending MITRE) In Progress MOVEit Transfer versions released before 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), 2023.0.2 (15.0.2), multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an un-authenticated attacker to gain unauthorized access to the MOVEit Transfer database.” reads the advisory published by the company. “An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content.”

All versions of MOVEit Transfer are affected by these vulnerabilities.

The vulnerabilities were discovered by researchers from the cybersecurity firm Huntress.

The good news is that Progress Software is not aware of attacks in the wild exploiting these vulnerabilities.

Recently another MOVEit Transfer vulnerability, tracked as CVE-2023-34362, made the headlines.

The vulnerability is a SQL injection vulnerability, it can be exploited by an unauthenticated attacker to gain unauthorized access to MOVEit Transfer’s database.

The Clop ransomware gang claims to have hacked hundreds of companies by exploiting the above issue.

Kroll researchers discovered that the Clop ransomware gang was looking for a zero-day exploit in the MOVEit Transfer since 2021.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, cyberattack)