Progress warns customers of a new critical flaw in MOVEit Transfer software

Progress released security patches for a new critical SQL injection vulnerability affecting its MOVEit Transfer software.

Progress is informing customers of a new critical SQL injection vulnerability, tracked as CVE-2023-36934, in its MOVEit Transfer software.

MOVEit Transfer software recently made the headlines due to the massive Clop ransomware hacking campaign exploiting a vulnerability in the product.

“a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database.” reads the advisory published by Progress. “An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content.”

The flaw CVE-2023-36934 impacts software versions released before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), 2023.0.4 (15.0.4), the vulnerability was reported by Guy Lederfein of Trend Micro working through the Zero Day Initiative.

 The company also addressed high-severity rating issues collectively tracked as CVE-2023-36932.

The flaws impacts In Progress MOVEit Transfer versions released before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), 2023.0.4 (15.0.4).

“multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database.” continues the advisory. “An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content.”

The company also fixed another high-severity issue, tracked as CVE-2023-36933, which can be exploited by an attacker to cause unexpected termination of the application.

The issue affects MOVEit Transfer versions released before 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), 2023.0.4 (15.0.4).

“it is possible for an attacker to invoke a method that results in an unhandled exception.  Triggering this workflow can cause the MOVEit Transfer application to terminate unexpectedly.” reads the advisory. “

“Look for your current version and apply the Service Pack. Only full installers are available due to the nature of the included updates.”

Affected Version	Fixed Version (Full Installer)	Documentation	Release Notes
MOVEit Transfer 2023.0.x (15.0.x)	MOVEit Transfer 2023.0.4 (15.0.4)	MOVEit 2023 Upgrade Documentation	MOVEit Transfer 2023.0.4 Release Notes
MOVEit Transfer 2022.1.x (14.1.x)	MOVEit Transfer 2022.1.8 (14.1.8)	MOVEit 2022 Upgrade Documentation	MOVEit Transfer 2022.1.8 Release Notes
MOVEit Transfer 2022.0.x (14.0.x)	MOVEit Transfer 2022.0.7 (14.0.7)	MOVEit 2022 Upgrade Documentation	MOVEit Transfer 2022.0.7 Release Notes
MOVEit Transfer 2021.1.x (13.1.x)	MOVEit Transfer 2021.1.7 (13.1.7)	MOVEit 2021 Upgrade Documentation	MOVEit Transfer 2021.1.7 Release Notes
MOVEit Transfer 2021.0.x (13.0.x)	MOVEit Transfer 2021.0.9 (13.0.9)	MOVEit 2021 Upgrade Documentation	MOVEit Transfer 2021.0.9 Release Notes
MOVEit Transfer 2020.1.6 (12.1.6) or later	Special Service Pack Available	See KB 000236830 MOVEit Transfer 2020.1 Service Pack (July 2023)	MOVEit Transfer 2020.1.7 Release Notes
MOVEit Transfer 2020.0.x (12.0.x) or older	Must Upgrade to a Supported Version	See MOVEit Transfer Upgrade and Migration Guide	N/A

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, MOVEit Transfer software)