Skip to content
← Browse CVEs

CVE-2023-34362

UnscoredEPSS 99.9%CISA KEVCWE-89 · SQL Injection

Progress MOVEit Transfer contains a SQL injection vulnerability that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements.

References

NVD MITRE CVE.org CISA KEV

Community ground truth

Community verdict

2 verdicts
Not a real issue

Includes TruePositive's curated baseline from public sources — community verdicts accrue on top.

to add your verdict.

Community real-world severity: Critical (Critical 2)

Field notes & remediation

Verdicts are the quick signal — notes are the evidence and fixes behind them.

  • 0
    Field note · Marco FerriCurated

    SQL injection → RCE in MOVEit Transfer. Cl0p mass-exploited it as a zero-day for data theft, hitting hundreds of orgs. The data-exfil supply-chain impact dwarfed the per-host severity.

  • 0
    Remediation · Diego RamírezCurated

    Patch immediately; then hunt for the human2.aspx webshell and review file-transfer/audit logs for the exploitation window.