CVE-2023-36934 - Critical Security Flaw: SQL Injection Bypass Vulnerability in MOVEit Transfer Software


On June 22, 2023, a critical unauthenticated SQL injection (SQLi) flaw was reported in MOVEit Transfer software. This vulnerability was discovered by Guy Lederfein of Trend Micro, in collaboration with the Zero Day Initiative. The presence of this vulnerability poses a significant risk to the security of affected systems. This blog post aims to provide details of this vulnerability its impact, and the necessary steps to protect your website. 

Comprehensive Look into the CVE-2023-36934:

It has been identified that earlier versions of the MOVEit Transfer web application, specifically those released prior to 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), contain a vulnerability related to SQL injection. This particular vulnerability, if exploited by an unauthorized attacker, could result in unauthorized access to the MOVEit Transfer database. To exploit this weakness, an attacker can skillfully construct and send a payload to a specific MOVEit Transfer application endpoint, potentially enabling them to manipulate and expose the contents of the MOVEit database. This Vulnerability has CVSS score of 9.8 and poses a significant risk to affected systems.

Affected Endpoint:

Vulnerability is in the “human.aspx” endpoint of the MOVEit Transfer software. This flaw allows for the execution of SQL queries using a specially crafted request that includes a user-supplied string. Exploiting this vulnerability enables an attacker to execute arbitrary code within the context of the moveitsvc user. It is imperative for MOVEit Transfer users to address this vulnerability promptly to prevent potential security breaches.

Proof-of-Concept and Exploit References:

Unlike CVE-2923-36934, there have been reported cases of exploitation in the wild, and no public proof-of-concept exploits have surfaced. Nevertheless, it is anticipated that malicious actors will actively pursue the development of such exploits in the upcoming weeks and months. In light of this, recommends all users running MOVEit Transfer to promptly apply the available patches to ensure the highest level of security for their systems.

This link provides a Nuclei Template designed to assist in identifying the critical SQL injection (SQLi) authentication bypass vulnerability, present in MOVEit Transfer Software.

Effective Risk Remediation:

Software has released the required updates for all significant versions of MOVEit Transfer, emphasizing the importance for users to promptly update to the latest version in order to minimize the potential risks associated with these vulnerabilities.

Affected Version

Fixed Version (Drop-In DLLs)


Release Notes

MOVEit Transfer 2020.1.6 (12.1.6) or later

MOVEit Transfer 2020.1.11 (12.1.11)

Download the patch at the link in the Fixed Version column and see the readme.txt file in the zip file for instructions

MOVEit Transfer 2020.1.11 Release Notes

MOVEit Transfer 2020.0.x (12.0.x) or older

 Must upgrade to a supported version

See MOVEit Transfer Upgrade 
and Migration Guide



Community News:

Contributed by Sharanu Kalyan

Post a Comment