TROYANOSYVIRUS
Volver a CVEs

CVE-2023-34362

CRITICALCISA KEV
9.8

Descripcion

In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions.

Detalles CVE

Puntuacion CVSS v3.19.8
SeveridadCRITICAL
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosNONE
Interaccion usuarioNONE
Publicado6/2/2023
Ultima modificacion10/27/2025
Fuentekev
Avistamientos honeypot0

CISA KEV

VendedorProgress
ProductoMOVEit Transfer
Nombre vulnerabilidadProgress MOVEit Transfer SQL Injection Vulnerability
Fecha inclusion KEV2023-06-02
Fecha limite remediacion2023-06-23
Uso en ransomwareKnown

Productos afectados

progress:moveit_cloudprogress:moveit_transfer

Debilidades (CWE)

CWE-89CWE-89

Referencias

http://packetstormsecurity.com/files/172883/MOVEit-Transfer-SQL-Injection-Remote-Code-Execution.html(cve@mitre.org)
http://packetstormsecurity.com/files/173110/MOVEit-SQL-Injection.html(cve@mitre.org)
https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023(cve@mitre.org)
http://packetstormsecurity.com/files/172883/MOVEit-Transfer-SQL-Injection-Remote-Code-Execution.html(af854a3a-2127-422b-91ae-364da2661108)
http://packetstormsecurity.com/files/173110/MOVEit-SQL-Injection.html(af854a3a-2127-422b-91ae-364da2661108)
https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-34362(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.