MOVEit transfer service pack has been discovered with three vulnerabilities associated with SQL injections (2) and a Reflected Cross-Site Scripted (XSS). The severity for these vulnerabilities ranges between 6.1 (Medium) and 8.8 (High).
Progress-owned MOVEit transfer was popularly exploited by threat actors who attacked several organizations as part of a ransomware campaign. The organizations previously reported to be affected by MOVEit vulnerability include Shell, BBC, British Airways, CalPERS, Honeywell, and US government agencies.
CVE-2023-42660: MOVEit Transfer SQL Injection
This SQL injection vulnerability was discovered on the MOVEit Transfer machine interface, which could lead to gaining unauthorized access to the MOVEit Transfer database. A threat actor could exploit this vulnerability by submitting a crafted payload to the MOVEit Transfer machine interface.
Successful exploitation could result in the modification and disclosure of MOVEit database content. However, a threat actor must be authenticated to exploit this vulnerability. Progress has given the severity of this vulnerability as 8.8 (High).
Products affected by this vulnerability include MOVEit Transfer, either MySQL or MSSQL DB, all versions. Users are recommended to upgrade to the September Service Pack to fix this vulnerability.
CVE-2023-40043: MOVEit Transfer SQL Injection
This other SQL injection vulnerability exists in the MOVEit Transfer web interface, which could possibly lead to gaining unauthorized access to the MOVEit Transfer database. A threat actor could exploit this vulnerability by submitting a crafted payload to the MOVEit Transfer web interface.
Successful exploitation could result in the modification and disclosure of MOVEit database content. The prerequisite for a threat actor to exploit this vulnerability includes access to a MOVEit system administrator account. Progress has given the severity of this vulnerability as 7.2 (High).
Products that are affected by this vulnerability include MOVEit Transfer, either MySQL or MSSQL DB, all versions. To prevent this vulnerability, users are recommended to Upgrade to the September Service Pack and limit sysadmin account access.
CVE-2023-42656: MOVEit Transfer Reflected XSS
This Reflected XSS vulnerability was found in the MOVEit Transfer’s web interface, which a malicious payload can exploit during the package composition procedure. A threat could craft a malicious payload and target MOVEit Transfer users. When interacting with the payload, the threat actor can execute malicious JavaScript on the victim’s browser.
Progress has given the severity of this vulnerability as 6.1 (Medium). Products affected due to this vulnerability include MOVEit Transfer, either MySQL or MSSQL DB, all versions. To prevent this vulnerability, users are recommended to Upgrade to September Service Pack and limit sysadmin account access.
A comprehensive list of vulnerable product versions, documentation, release notes, and fixed versions has been given below.
| Affected Version | Fixed Version (Full Installer) | Documentation | Release Notes |
| MOVEit Transfer 2023.0.x (15.0.x) | MOVEit Transfer 2023.0.6 (15.0.6) | MOVEit 2023 Upgrade Documentation   | MOVEit Transfer 2023.0.6 Release Notes |
| MOVEit Transfer 2022.1.x (14.1.x) | MOVEit Transfer 2022.1.9 (14.1.9) | MOVEit 2022 Upgrade Documentation  | MOVEit Transfer 2022.1.9 Release Notes |
| MOVEit Transfer 2022.0.x (14.0.x) | MOVEit Transfer 2022.0.8 (14.0.8) | MOVEit 2022 Upgrade Documentation  | MOVEit Transfer 2022.0.8 Release Notes |
| MOVEit Transfer 2021.1.x (13.1.x) | MOVEit Transfer 2021.1.8 (13.1.8) | MOVEit 2021 Upgrade Documentation  | MOVEit Transfer 2021.1.8 Release Notes |
| MOVEit Transfer 2021.0.x (13.0.x) or older | Must Upgrade to a Supported Version | See MOVEit Transfer Upgrade and | N/A |
| Migration Guide  |
A security advisory has been released by Progress which includes a comprehensive list of the affected products and the vulnerabilities that have been identified.
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
