CVE-2023-34362 Overview
In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions.
Critical Impact
Unauthenticated attackers can exploit this SQL injection vulnerability to gain unauthorized access to critical database systems, potentially leading to significant data loss or system compromise.
Affected Products
- Progress MOVEit Cloud
- Progress MOVEit Transfer
Discovery Timeline
- Not Available - Vulnerability discovered by Not Available
- Not Available - Responsible disclosure to Progress
- Not Available - CVE CVE-2023-34362 assigned
- 2023-05-31 - Progress releases security patch
- 2023-06-02 - CVE CVE-2023-34362 published to NVD
- 2025-10-27 - Last updated in NVD database
Technical Details for CVE-2023-34362
Vulnerability Analysis
The SQL injection vulnerability in MOVEit Transfer allows attackers to manipulate SQL queries sent to the database, which leads to unauthorized access, data alteration, or deletion. The vulnerability is particularly severe due to the ease of exploitation from an unauthenticated remote attacker over the network.
Root Cause
The root cause of this vulnerability lies in improper input validation within the SQL queries in the MOVEit Transfer web application, allowing malicious inputs to alter the execution logic.
Attack Vector
The attack is conducted over the network via HTTP or HTTPS, targeting vulnerable web endpoints that process SQL queries without adequate input sanitization.
-- Example exploitation code (sanitized)
SELECT * FROM Users WHERE name = '' OR '1'='1';
Detection Methods for CVE-2023-34362
Indicators of Compromise
- Unexpected database queries with suspicious patterns
- Altered or deleted database records
- Unauthorized database access logs
Detection Strategies
Utilize anomaly detection on database queries to identify unusual patterns, especially looking for tautology-based SQL logic or unexpected access attempts.
Monitoring Recommendations
Implement logging for all database operations and enable alerts for unusual query patterns or failed login attempts.
How to Mitigate CVE-2023-34362
Immediate Actions Required
- Apply the security patch released by Progress immediately.
- Reinforce WAF (Web Application Firewall) rules to block common SQL injection attempts.
- Conduct a thorough review of access controls to ensure proper privilege management.
Patch Information
Progress has released patches for affected versions. Refer to their advisory for detailed patch application instructions.
Workarounds
As a temporary measure, disable unnecessary database functionalities and isolate the database server from public access where possible.
# Example of a firewall rule to isolate database
iptables -A INPUT -p tcp --dport 3306 -s 10.10.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
