CVE-2023-34362

CVE-2023-34362 is a critical-severity vulnerability in Progress Moveit Cloud with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2023-06-02). The underlying weakness is classified as CWE-89.

Key facts

Description

In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions.

CVE-2023-34362: Critical SQL Injection in MOVEit Transfer (Exploited in the Wild)

AI-generated analysis based on the vulnerability data on this page.

CVE Severity CVSS v3.1 EPSS KEV CWE Published
CVE-2023-34362 Critical 9.8 0.99934 Yes CWE-89 (SQL Injection) 2023-06-02

Summary

A critical SQL injection vulnerability (CWE-89) exists in the MOVEit Transfer web application. An unauthenticated remote attacker can exploit this flaw to access the underlying database, infer its structure and contents, and potentially execute SQL statements that alter or delete database elements. The vulnerability has been actively exploited in the wild since May and June 2023, affecting all versions of MOVEit Transfer prior to the patched releases.

Background

MOVEit Transfer is a managed file transfer (MFT) solution developed by Progress Software, widely deployed by enterprises to securely transfer sensitive data between internal and external parties. In late May 2023, reports emerged of a zero-day vulnerability being exploited in the wild, prompting an urgent security response from Progress Software and CISA.

Root Cause

This vulnerability is classified as CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection). The MOVEit Transfer web application fails to adequately sanitize user-supplied input before incorporating it into SQL queries. This allows an attacker to inject malicious SQL syntax directly into database queries via HTTP or HTTPS requests, bypassing authentication and gaining direct database access. The flaw resides in the web application's request handling layer, where input parameters are concatenated into SQL statements without proper parameterized query construction or input validation.

Impact

The CVSS v3.1 score is 9.8 (Critical), with the following metrics:

  • Attack Vector (AV): Network — exploitable remotely over the internet
  • Attack Complexity (AC): Low — no special conditions or advanced techniques required
  • Privileges Required (PR): None — unauthenticated exploitation is possible
  • User Interaction (UI): None — no user action required
  • Scope (S): Unchanged — impact remains within the vulnerable component
  • Confidentiality (C): High — attacker can read database contents
  • Integrity (I): High — attacker can modify or delete database records
  • Availability (A): High — attacker can disrupt database operations

The EPSS score of 0.99934 (99.93rd percentile) indicates near-certain probability of exploitation, reflecting the widespread active exploitation observed in the wild. CISA added this CVE to its Known Exploited Vulnerabilities (KEV) catalog on June 2, 2023, and EU authorities also confirmed active exploitation (EUVD-2023-38442).

Exploitation Walkthrough

Ethics & Scope: This section describes the vulnerability from a defensive perspective only. No exploit code or detailed attack instructions are provided. The information below is intended to help defenders understand the attack surface and detection opportunities.

The vulnerability is exposed through the MOVEit Transfer web application's HTTP/HTTPS interface. An attacker crafts a specially structured request to a web endpoint that directly incorporates user input into a backend SQL query. Because the application does not properly parameterize or sanitize this input, the attacker's SQL fragments are executed by the database engine (MySQL, Microsoft SQL Server, or Azure SQL).

In the wild, exploitation has been observed resulting in:

  • Unauthorized database enumeration and data exfiltration
  • Modification of MOVEit Transfer user accounts and permissions
  • Deployment of web shells for persistent access
  • Lateral movement within compromised environments

Defenders should focus on the fact that the web application is the initial entry point, and that exploitation traffic arrives via standard HTTP/HTTPS ports.

Affected and Patched Versions

Affected Products:

  • Progress MOVEit Transfer (all versions before the patched releases listed below)
  • Progress MOVEit Cloud (versions before the corresponding cloud patches)

Patched Versions:

  • MOVEit Transfer 2021.0.6 (13.0.6)
  • MOVEit Transfer 2021.1.4 (13.1.4)
  • MOVEit Transfer 2022.0.4 (14.0.4)
  • MOVEit Transfer 2022.1.5 (14.1.5)
  • MOVEit Transfer 2023.0.1 (15.0.1)

Note: All versions prior to 2021.0 (including 2020.0 and 2019.x releases) are also affected. These older versions are unsupported and should be upgraded immediately.

Remediation

Immediate Actions:

  1. Upgrade to a patched version as soon as possible. Progress Software has released hotfixes for supported versions. Older unsupported versions must be upgraded to a supported release.
  2. If immediate patching is not possible, apply the following temporary mitigations:
    • Disable all HTTP and HTTPS traffic to the MOVEit Transfer application.
    • Restrict network access to the application to trusted IP addresses only.
    • Monitor for and remove any unauthorized files or accounts created on the system.

Compensating Controls:

  • Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting MOVEit Transfer endpoints. However, WAF rules alone are not a substitute for patching.
  • Enable comprehensive logging of all HTTP/HTTPS requests to the MOVEit Transfer server and forward logs to a SIEM for real-time analysis.
  • Apply network segmentation to isolate MOVEit Transfer servers from internal critical assets.
  • Conduct a thorough review of all MOVEit Transfer user accounts and access logs for signs of unauthorized access, web shell deployment, or data exfiltration.

Detection

Indicators to Monitor:

  • Unusual HTTP/HTTPS requests to MOVEit Transfer web endpoints, especially requests containing SQL keywords, union statements, or encoded SQL payloads.
  • Unexpected database connection patterns or large-scale data queries from the MOVEit Transfer application.
  • New or modified files in the MOVEit Transfer web directories, particularly unexpected ASPX, PHP, or other script files (indicators of web shell deployment).
  • Unexpected administrative user accounts or privilege changes within the MOVEit Transfer application.
  • Outbound network connections from the MOVEit Transfer server to unexpected external destinations.
  • Log entries showing rapid sequential access to the web application from the same source IP, which may indicate automated exploitation attempts.

Recommended Tools:

  • SIEM rules detecting SQL injection signatures in MOVEit Transfer web access logs.
  • EDR solutions monitoring for file system changes in the MOVEit Transfer installation directory.
  • Network traffic analysis tools identifying anomalous outbound connections from MFT servers.

Assessment

The combination of a CVSS 9.8 critical score, an EPSS of 0.99934, and confirmed active exploitation (CISA KEV, EU exploited) makes this one of the highest-priority vulnerabilities to remediate in any environment running MOVEit Transfer. The unauthenticated nature of the attack and the fact that exploitation occurs over standard HTTP/HTTPS means that internet-facing instances are at immediate and severe risk.

Key Lessons:

  1. SQL injection remains a critical and exploitable vulnerability class even in enterprise-grade software. Input sanitization and parameterized queries are fundamental security controls that must be consistently applied.
  2. Vulnerability disclosure and rapid patching are essential. The timeline between public disclosure and widespread exploitation was extremely short. Organizations should have robust patch management and incident response plans for zero-day scenarios affecting their critical infrastructure.

References

Frequently asked questions

What is CVE-2023-34362?
In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions.
How severe is CVE-2023-34362?
CVE-2023-34362 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2023-34362 being actively exploited?
Yes. CVE-2023-34362 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2023-06-02, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2023-34362?
CVE-2023-34362 primarily affects Progress Moveit Cloud. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2023-34362?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2023-34362 have an EU (EUVD) identifier?
Yes. CVE-2023-34362 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-38442. It is also flagged as exploited in the EUVD (since 2023-06-02).
When was CVE-2023-34362 published?
CVE-2023-34362 was published on 2023-06-02 and last updated on 2026-06-17.

References

Affected products (2)

Other CWE-89 (SQL Injection) vulnerabilities

Browse all CWE-89 (SQL Injection) vulnerabilities →