Progress warns customers of a new critical flaw in MOVEit Transfer software

Pierluigi Paganini July 07, 2023

Progress released security patches for a new critical SQL injection vulnerability affecting its MOVEit Transfer software.

Progress is informing customers of a new critical SQL injection vulnerability, tracked as CVE-2023-36934, in its MOVEit Transfer software.

MOVEit Transfer software recently made the headlines due to the massive Clop ransomware hacking campaign exploiting a vulnerability in the product.

“a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database.” reads the advisory published by Progress. “An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content.”

The flaw CVE-2023-36934 impacts software versions released before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), 2023.0.4 (15.0.4), the vulnerability was reported by Guy Lederfein of Trend Micro working through the Zero Day Initiative.

MOVEit Transfer software

 The company also addressed high-severity rating issues collectively tracked as CVE-2023-36932.

The flaws impacts In Progress MOVEit Transfer versions released before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), 2023.0.4 (15.0.4).

“multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database.” continues the advisory. “An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content.”

The company also fixed another high-severity issue, tracked as CVE-2023-36933, which can be exploited by an attacker to cause unexpected termination of the application.

The issue affects MOVEit Transfer versions released before 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), 2023.0.4 (15.0.4).

“it is possible for an attacker to invoke a method that results in an unhandled exception.  Triggering this workflow can cause the MOVEit Transfer application to terminate unexpectedly.” reads the advisory.

“Look for your current version and apply the Service Pack. Only full installers are available due to the nature of the included updates.”

Affected VersionFixed Version (Full Installer)DocumentationRelease Notes
MOVEit Transfer 2023.0.x (15.0.x)MOVEit Transfer 2023.0.4 (15.0.4)MOVEit 2023 Upgrade Documentation  MOVEit Transfer 2023.0.4 Release Notes
MOVEit Transfer 2022.1.x (14.1.x)MOVEit Transfer 2022.1.8 (14.1.8)MOVEit 2022 Upgrade DocumentationMOVEit Transfer 2022.1.8 Release Notes
MOVEit Transfer 2022.0.x (14.0.x)MOVEit Transfer 2022.0.7 (14.0.7)MOVEit 2022 Upgrade DocumentationMOVEit Transfer 2022.0.7 Release Notes
MOVEit Transfer 2021.1.x (13.1.x)MOVEit Transfer 2021.1.7 (13.1.7)MOVEit 2021 Upgrade DocumentationMOVEit Transfer 2021.1.7 Release Notes
MOVEit Transfer 2021.0.x (13.0.x)MOVEit Transfer 2021.0.9 (13.0.9)MOVEit 2021 Upgrade Documentation  MOVEit Transfer 2021.0.9 Release Notes
MOVEit Transfer 2020.1.6 (12.1.6) or laterSpecial Service Pack AvailableSee KB 000236830
MOVEit Transfer 2020.1 Service
Pack (July 2023)
MOVEit Transfer 2020.1.7 Release Notes
MOVEit Transfer 2020.0.x (12.0.x) or olderMust Upgrade to a Supported VersionSee MOVEit Transfer Upgrade and
Migration Guide 
N/A

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, MOVEit Transfer software)



you might also like

leave a comment