Progress Software has recently announced a significant security development regarding their widely used secure file transfer software, MOVEit Transfer. The company has successfully identified and patched a critical SQL injection vulnerability, specifically tagged as CVE-2023-36934. This vulnerability represents a severe security flaw that has the potential to grant unauthorized access to the MOVEit Transfer database, even for unauthenticated attackers.
SQL injection vulnerabilities are well-known and highly dangerous, as they enable attackers to manipulate databases and execute arbitrary code. By exploiting this particular vulnerability, attackers can send specially crafted payloads to specific endpoints within the affected application, thus altering or exposing sensitive data stored within the database. What makes CVE-2023-36934 particularly critical is the fact that it can be exploited without requiring valid login credentials. In other words, even attackers without proper authentication can potentially take advantage of this vulnerability. It is important to note, however, that no reports have surfaced indicating active exploitation of this specific vulnerability thus far.
This discovery comes in the wake of a series of recent cyberattacks that targeted MOVEit Transfer by leveraging a different SQL injection vulnerability, known as CVE-2023-34362, in conjunction with the Clop ransomware. These attacks resulted in data theft and extortion, causing significant financial and reputational damage to the affected organizations.
Furthermore, Progress Software has also addressed two additional high-severity vulnerabilities as part of their latest security update. The first vulnerability, CVE-2023-36932, is another SQL injection flaw that can be exploited by attackers who are already logged in, allowing them to gain unauthorized access to the MOVEit Transfer database. The second vulnerability, CVE-2023-36933, permits attackers to unexpectedly shut down the MOVEit Transfer program, causing disruption and potential data loss.
The discovery of these vulnerabilities and subsequent patches were made possible through responsible reporting by security researchers. It is worth noting that these vulnerabilities impact multiple versions of MOVEit Transfer, including 12.1.10 and previous versions, 13.0.8 and earlier, 13.1.6 and earlier, 14.0.6 and older, 14.1.7 and older, and 15.0.3 and earlier.
To mitigate the risks associated with these vulnerabilities, Progress Software has made the necessary updates available for all major versions of MOVEit Transfer. Users are strongly advised to promptly update to the latest version to ensure the security and integrity of their file transfer operations and safeguard their sensitive data from potential unauthorized access and unexpected program shutdowns.