MOVEiT Transfer SQL Injection Vulnerability
CVE-2023-34362 is a critical zero-day vulnerability in the MOVEit Transfer managed file transfer (MFT) software, developed by Progress Software.
This is a SQL injection bug that allows attackers to gain access to an environment, retrieve or modify information about the database's structure and contents, and execute SQL commands that edit or remove database information. The severity of the vulnerability varies based on the database engine used, which can be MySQL, Microsoft SQL Server, or Azure SQL. Furthermore, because this vulnerability lets the attacker to perform arbitrary SQL instructions, it has the potential to compromise the MOVEit Transfer database completely.
The exploitation of this vulnerability is widespread and has led to mass downloading of data from organizations, resulting in significant data exfiltration according to Mandiant. The attackers appear to have started exploiting this vulnerability before patches were released by Progress Software, therefore it is advised that impacted organizations thoroughly review their environment for any indicators of compromise to determine if they were targeted. The patches are now available for several versions of the software.