Progress Software has announced the identification and resolution of a critical SQL injection vulnerability within MOVEit Transfer, software widely utilized for secure file transfers. Alongside this, the company has addressed two additional high-severity vulnerabilities that also pose significant security risks.
The SQL injection vulnerability, designated as CVE-2023-36934, could enable unauthenticated attackers to gain unauthorized access to the MOVEit Transfer database, a fact that heightens the stakes given the sensitive nature of the data handled by this software.
SQL injection vulnerabilities present substantial security concerns, allowing malicious actors to manipulate databases by executing unauthorized queries. Attackers can exploit these vulnerabilities by sending specifically crafted payloads to vulnerable endpoints, thus altering or exposing confidential information stored within the database.
The critical nature of CVE-2023-36934 lies in its exploitation potential without the need for valid user credentials. This means that even unauthorized users can exploit this vulnerability, raising alarm bells in the cybersecurity community. Fortunately, to date, there are no accounts of attackers actively exploiting this specific vulnerability.
This discovery follows previous cyberattacks that leveraged a different SQL injection flaw, CVE-2023-34362. That earlier threat was associated with Clop ransomware, a type of malware that has caused significant data theft and financial extortion within various organizations.
The most recent updates from Progress Software also address two additional high-severity vulnerabilities: CVE-2023-36932 and CVE-2023-36933. The former creates a risk for attackers who are already logged in, allowing them to compromise the MOVEit Transfer database. The latter vulnerability could permit unwanted shutdowns of the MOVEit Transfer application, further affecting its stability and security.
Vulnerabilities reported to Progress Software by researchers from HackerOne and Trend Micro’s Zero Day Initiative affect a range of MOVEit Transfer versions, including those from 12.1.10 and earlier to 15.0.3 and earlier, making it imperative for users to pay attention to these security updates.
Progress Software has released necessary patches for all significant MOVEit Transfer versions. Users are strongly encouraged to upgrade to the latest software versions to mitigate the risks associated with these vulnerabilities, reinforcing their cybersecurity posture against potential attacks.
