CVE-2023-34362: Critical SQL Injection in Progress MOVEit Transfer – Active Exploitation, Patch Guidance
Progress MOVEit Transfer contains a SQL injection flaw that allows attackers to directly access and manipulate the application's database without needing credentials. An unauthenticated attacker can query, modify, or delete database records depending on the underlying database platform (MySQL, SQL Server, or Azure SQL). This vulnerability is particularly dangerous because it bypasses all authentication controls and has been actively exploited in production environments since May 2023, including in ransomware campaigns.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 9.8 CRITICAL · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-89
- Affected products
- 2 configuration(s)
- Published / Modified
- 2023-06-02 / 2026-06-17
- KEV due date
- 2023-06-23 (added 2023-06-02)
NVD description (verbatim)
In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions.
7 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2023-34362 is a pre-authentication SQL injection vulnerability (CWE-89) in the MOVEit Transfer web application. The flaw permits attackers to inject arbitrary SQL commands through an unvalidated input vector, circumventing role-based access controls. Exploitation can occur via standard HTTP or HTTPS requests. The vulnerability affects all versions prior to the patched releases: 2021.0.6, 2021.1.4, 2022.0.4, 2022.1.5, and 2023.0.1. Legacy unsupported versions (2020.0, 2019.x, and earlier) remain vulnerable. Database-specific impacts include data exfiltration, unauthorized modification, and potential denial of service through record deletion.
Business impact
Organizations running unpatched MOVEit Transfer deployments face immediate risk of complete database compromise. Attackers can extract sensitive file metadata, user credentials, and transfer records without authentication. Given active exploitation in ransomware operations, affected organizations should treat this as a critical incident risk. Downtime required for emergency patching and forensic investigation can disrupt file transfer operations. Compliance implications include mandatory breach notification if customer data or personally identifiable information is accessed or exfiltrated.
Affected systems
Progress MOVEit Transfer (all versions prior to 2021.0.6, 2021.1.4, 2022.0.4, 2022.1.5, and 2023.0.1) and Progress MOVEit Cloud are affected. This includes all legacy and unsupported versions dating back to at least 2019.x and 2020.0. The vulnerability is database-agnostic and exploitable regardless of whether the deployment uses MySQL, Microsoft SQL Server, or Azure SQL as the backend.
Exploitability
This vulnerability has reached operational maturity in the threat landscape. The CVSS 3.1 score of 9.8 (Critical) reflects the absence of authentication requirements (PR:N), low attack complexity (AC:L), and network accessibility (AV:N). Since early June 2023, active exploitation has been documented in the wild, including integration into ransomware attack chains. No user interaction or special network positioning is required; a simple HTTP/HTTPS request from the internet is sufficient to trigger the vulnerability. Organizations should assume their unpatched systems have been targeted.
Remediation
Organizations must immediately upgrade to patched versions: 2021.0.6, 2021.1.4, 2022.0.4, 2022.1.5, or 2023.0.1 or later, depending on their current release track. For unsupported legacy versions, migration to a supported release is mandatory. Interim mitigations (network segmentation, WAF rules blocking SQL keywords) may reduce immediate risk but do not eliminate the vulnerability. After patching, conduct database integrity audits and review access logs for indicators of prior compromise.
Patch guidance
Apply the appropriate patch version corresponding to your current release track without delay. Progress has released fixes across five version families to accommodate diverse deployment scenarios. Verify patch application by confirming the installed version against the vendor advisory. If your organization operates an unsupported release (2020.0 or earlier), plan an emergency upgrade to 2023.0.1 or equivalent to ensure long-term supportability. Test patches in a non-production environment first, but given active exploitation, accelerate to production as quickly as risk assessment permits.
Detection guidance
Monitor MOVEit Transfer web server and database logs for SQL syntax patterns in HTTP request parameters and POST bodies (e.g., UNION, SELECT, DROP, INSERT). Examine database query logs for anomalous statements originating from the web application user account, particularly queries accessing system tables or credential stores. Network detection signatures should alert on HTTP requests containing encoded SQL keywords (e.g., %27, %3D) directed at MOVEit endpoints. Endpoint Detection & Response (EDR) tools should flag unexpected database access or command execution by the MOVEit service account.
Why prioritize this
This vulnerability merits immediate response due to its CVSS Critical rating (9.8), confirmed active exploitation in ransomware operations, lack of authentication requirements, and the sensitive nature of data typically stored in MOVEit Transfer databases. The vulnerability's presence on the KEV catalog and ransomware association further elevates incident risk. Organizations that have not patched should treat this as a security incident requiring emergency response protocols.
Risk score, explained
The 9.8 CVSS score reflects maximum severity across confidentiality, integrity, and availability (C:H/I:H/A:H), combined with unauthenticated network-based exploitability (AV:N/PR:N/AC:L/UI:N). No security controls short of patching can fully mitigate the risk. The score aligns with observed real-world exploitation, including ransomware campaigns, confirming the threat model's accuracy.
Frequently asked questions
Is network segmentation effective as a temporary control?
Network segmentation can limit exposure by restricting internet-facing access to MOVEit Transfer, but it is not a substitute for patching. Many organizations operate MOVEit as a cloud or DMZ service requiring external connectivity. Implement both segmentation and expedited patching in parallel.
Do I need to patch if MOVEit Transfer is air-gapped or only used internally?
Yes. The vulnerability is exploitable by any network-connected attacker, including insiders or adjacent network segments. Air-gapped deployments have lower risk, but patching remains mandatory due to the severity and the potential for supply-chain or insider threat scenarios.
How do I determine if my MOVEit instance was compromised?
Review web server access logs and database query logs from May 2023 onwards for SQL injection patterns or suspicious queries. Engage forensics professionals to analyze database transaction logs and user account activity. Consider a full database integrity audit and credential reset for accounts with access to sensitive data.
Are there differences in exploitability across database backends (MySQL, SQL Server, Azure SQL)?
The injection vector is identical across all three database engines, but the attacker's capability to cause damage varies. SQL Server and Azure SQL support advanced T-SQL syntax that may enable lateral movement or OS-level access in certain configurations. MySQL databases may be more limited in scope but are equally compromised at the application level.
This analysis is provided for informational and defensive purposes only. It does not constitute legal, compliance, or professional security advice. Organizations must verify patch availability and compatibility with their specific MOVEit deployment configuration via official Progress documentation and vendor advisories. The vulnerability details and patch versions are sourced from public CVE and vendor records; please consult the Progress Security Advisory for authoritative guidance. Exploitation of computer systems without authorization is illegal. All remediation activities should be conducted in accordance with organizational change management and incident response procedures. Source: NVD (public-domain), retrieved 2026-07-06. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction
- CVE-2018-25390HIGHUnauthenticated SQL Injection in HaPe PKH 1.1
- CVE-2018-25392HIGHSQL Injection in MaxOn ERP Software 8.x-9.x
- CVE-2018-25394HIGHSQL Injection in Kados R10 GreenBee Unauthenticated Remote Database Access
- CVE-2018-25395HIGHKados R10 GreenBee SQL Injection Vulnerability – Unauthenticated Database Access
Preview — this page is review (quality 1). high-value: hold for review.