CVE-2023-34362: Progress MOVEit Transfer SQL Injection Vulnerability

Published Jun 2, 2023
·
Updated

Progress MOVEit Transfer contains a SQL injection vulnerability that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements.

Other sources

In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions.

Affected Software

11 affected components
Progress MOVEit Transfer
Progress Moveit Cloud<14.0.5.45
Progress Moveit Cloud>=14.1.0.0<14.1.6.97
Progress Moveit Cloud>=15.0.0.0<15.0.2.39
Progress MOVEit Transfer<2021.0.7
Progress MOVEit Transfer>=2021.1.0<2021.1.5
Progress MOVEit Transfer>=2022.0.0<2022.0.5
Progress MOVEit Transfer>=2022.1.0<2022.1.6
Progress MOVEit Transfer>=2023.0.0<2023.0.2
Progress MOVEit Transfer<=2020.1.6
Progress MOVEit Transfer>=2021.0<2021.0.7

Event History

Jun 2, 2023
CVE Published
via MITRE·12:00 AM
Known Exploited
via CISA·12:00 AM
Known Ransomware
via CISA·12:00 AM
Data Sourced
via MITRE·12:00 AM
Description
Data Sourced
02:15 PM
Description
Data Sourced
via NVD·02:15 PM
DescriptionSeverityWeaknessAffected Software
Dec 15, 2023
News Published
02:53 PM
Feb 7, 2024
News Published
via ZDNet·03:49 PM
News Published
via ZDNet·05:24 PM
Feb 8, 2024
News Published
via The Register·07:28 AM
News Published
via The Register·07:31 AM
May 8, 2024
News Published
via The Register·02:00 PM
Nov 12, 2024
News Published
via The Register·01:29 PM
Jul 2, 2025
News Published
via The Register·09:38 AM

Peer vulnerabilities

Found alongside the following vulnerabilities.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the vulnerability ID of Progress MOVEit Transfer SQL Injection Vulnerability?

The vulnerability ID of Progress MOVEit Transfer SQL Injection Vulnerability is CVE-2023-34362.

2

What is the affected software by CVE-2023-34362?

The affected software by CVE-2023-34362 is Progress MOVEit Transfer.

3

How severe is CVE-2023-34362?

CVE-2023-34362 is a SQL injection vulnerability in Progress MOVEit Transfer which could allow an unauthenticated attacker to gain access to the application's database.

4

How can I fix CVE-2023-34362?

To fix CVE-2023-34362, it is recommended to upgrade to Progress MOVEit Transfer versions 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), or 2023.0.1 (15.0.1) where the vulnerability is patched.

5

Where can I find more information about CVE-2023-34362?

You can find more information about CVE-2023-34362 in the following references: [1] [2] [3].

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203