- 123/2023
- Critical
MOVEit Transfer has released a security update to address a zero-day vulnerability.
The addressed vulnerability could allow the remote attacker to gain unauthorized access to the application’s database and execute arbitrary commands, disclose information, and alter/delete database elements.
the addressed vulnerability:
Progress MOVEit Transfer SQL Injection Vulnerability (CVE-2023-34362):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Data Manipulation
Affected versions:
- MOVEit Transfer 2023.0.0 (15.0).
- MOVEit Transfer 2022.1.x (14.1), 2022.0.x (14.0).
- MOVEit Transfer 2021.1.x (13.1), 2021.0.x (13.0).
- MOVEit Transfer 2020.1.x (12.1).
- MOVEit Transfer 2020.0.x (12.0) or older.
It should be highlighted that the addressed zero-day vulnerability is actively exploited in the wild.
Vulnerabilities
CVE-2023-34362
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.