Join the Cyber Forum: Threat Intel on May 12, 2026 to learn how AI is reshaping threat defense.Join the Virtual Cyber Forum: Threat IntelRegister Now
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2021-38159

CVE-2021-38159: Progress MOVEit Transfer SQLi Vulnerability

CVE-2021-38159 is a SQL injection vulnerability in Progress MOVEit Transfer that allows unauthenticated attackers to access the database. This article covers technical details, affected versions, impact, and mitigation.

Published: February 25, 2026

CVE-2021-38159 Overview

CVE-2021-38159 is a critical SQL Injection vulnerability affecting Progress MOVEit Transfer, a widely-used managed file transfer solution deployed across enterprise environments. The vulnerability exists in the MOVEit Transfer web application, allowing unauthenticated remote attackers to gain unauthorized access to the database backend through specially crafted input strings sent to unique MOVEit Transfer transaction types.

The impact varies depending on the underlying database engine (MySQL, Microsoft SQL Server, or Azure SQL), but attackers may be able to infer information about database structure and contents, or execute SQL statements that alter or delete database elements without authentication.

Critical Impact

Unauthenticated remote attackers can compromise database confidentiality, integrity, and availability through SQL injection, potentially leading to full database compromise and data exfiltration.

Affected Products

  • Progress MOVEit Transfer versions before 2021.0.4 (13.0.4)
  • Progress MOVEit Transfer versions before 2020.1.6 (12.1.6)
  • Progress MOVEit Transfer versions before 2020.0.7 (12.0.7)
  • Progress MOVEit Transfer versions before 2019.2.4 (11.2.4)
  • Progress MOVEit Transfer versions before 2019.1.7 (11.1.7)
  • Progress MOVEit Transfer versions before 2019.0.8 (11.0.8)

Discovery Timeline

  • August 7, 2021 - CVE-2021-38159 published to NVD
  • November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2021-38159

Vulnerability Analysis

This SQL Injection vulnerability (CWE-89) allows unauthenticated attackers to manipulate database queries through the MOVEit Transfer web application. The flaw stems from improper neutralization of special elements used in SQL commands, enabling attackers to inject malicious SQL code via crafted strings targeting unique MOVEit Transfer transaction types.

The attack is particularly dangerous because it requires no authentication and can be executed remotely over the network. Since MOVEit Transfer is commonly used for sensitive file transfers in enterprise environments, successful exploitation could expose confidential business data, personally identifiable information (PII), or enable attackers to establish persistence within the target environment.

Root Cause

The vulnerability originates from insufficient input validation and improper sanitization of user-supplied data within the MOVEit Transfer web application. When processing certain transaction types, the application fails to properly escape or parameterize user input before incorporating it into SQL queries. This allows attackers to break out of the intended query context and inject arbitrary SQL commands.

The lack of prepared statements or parameterized queries for these specific transaction handlers creates a direct path for SQL injection attacks. The vulnerability affects multiple database backends (MySQL, Microsoft SQL Server, and Azure SQL), indicating the injection point occurs at the application layer before database-specific query construction.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:

  1. Identifying a vulnerable MOVEit Transfer instance exposed to the network
  2. Crafting malicious SQL injection payloads targeting unique MOVEit Transfer transaction types
  3. Sending the crafted strings to the web application endpoints
  4. Extracting database information through inference techniques (blind SQL injection) or direct data retrieval
  5. Potentially modifying or deleting database elements to disrupt operations or cover tracks

The specific exploitation technique depends on the underlying database engine, with each platform offering different capabilities for data extraction and command execution.

Detection Methods for CVE-2021-38159

Indicators of Compromise

  • Anomalous HTTP requests to MOVEit Transfer endpoints containing SQL syntax characters (e.g., single quotes, UNION statements, OR 1=1 patterns)
  • Unexpected database queries or errors in database server logs
  • Unusual data access patterns or bulk data retrieval from MOVEit Transfer database
  • Web application firewall (WAF) alerts for SQL injection attempts targeting MOVEit Transfer URLs
  • Database performance degradation or timeout errors coinciding with suspicious web traffic

Detection Strategies

  • Deploy web application firewall (WAF) rules specifically targeting SQL injection patterns in MOVEit Transfer transaction parameters
  • Enable detailed logging on MOVEit Transfer web servers and correlate with database query logs
  • Monitor for unusual outbound data transfers that could indicate data exfiltration following successful exploitation
  • Implement database activity monitoring to detect anomalous query patterns or privilege escalation attempts

Monitoring Recommendations

  • Enable verbose logging on MOVEit Transfer and forward logs to a SIEM for centralized analysis
  • Configure alerting for authentication failures combined with database errors
  • Monitor network traffic for large data transfers from database servers
  • Regularly audit database user privileges and review access patterns for anomalies

How to Mitigate CVE-2021-38159

Immediate Actions Required

  • Upgrade Progress MOVEit Transfer to a patched version immediately
  • If immediate patching is not possible, restrict network access to MOVEit Transfer to trusted IP addresses only
  • Enable web application firewall rules to block common SQL injection patterns
  • Review database and application logs for signs of prior exploitation
  • Consider taking vulnerable instances offline until patching is complete

Patch Information

Progress has released security patches addressing this vulnerability. Organizations should upgrade to one of the following fixed versions:

Version BranchFixed Version
2021.0.x2021.0.4 (13.0.4)
2020.1.x2020.1.6 (12.1.6)
2020.0.x2020.0.7 (12.0.7)
2019.2.x2019.2.4 (11.2.4)
2019.1.x2019.1.7 (11.1.7)
2019.0.x2019.0.8 (11.0.8)

For detailed patching instructions, refer to the Progress MOVEit Vulnerability Advisory.

Workarounds

  • Implement network segmentation to limit exposure of MOVEit Transfer instances to untrusted networks
  • Deploy a web application firewall (WAF) with SQL injection detection capabilities in front of MOVEit Transfer
  • Apply strict IP whitelisting to limit access to known, trusted sources
  • Enable database connection encryption and implement least-privilege database accounts for the MOVEit Transfer application
  • Conduct a security audit of database permissions to ensure the application account has minimal required privileges

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeSQLI
  • Vendor/TechProgress Moveit Transfer
  • SeverityCRITICAL
  • CVSS Score9.8
  • EPSS Probability3.42%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-89
  • Vendor Resources
  • Progress MOVEit Vulnerability Advisory
  • Progress MOVEit Information Page
  • Related CVEs
  • CVE-2023-34362: Progress MOVEit Transfer SQLi Vulnerability
  • CVE-2023-42660: Progress MOVEit Transfer SQLi Vulnerability
  • CVE-2023-36934: Progress MOVEit Transfer SQLi Vulnerability
  • CVE-2023-36932: Progress MOVEit Transfer SQLi Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English