Progress MOVEit Transfer SQL Injection
Description
Progress MOVEit Transfer versions prior to 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1) contain a critical SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL commands against the MOVEit Transfer database. This vulnerability enables attackers to bypass authentication controls and directly interact with the underlying database (MySQL, Microsoft SQL Server, or Azure SQL). Successful exploitation allows attackers to extract sensitive data, modify database records, delete critical information, and potentially gain administrative access to the application.
Remediation
Apply security patches immediately by upgrading to the following patched versions based on your current release branch:
• Version 2021.0.x → Upgrade to 2021.0.6 (13.0.6) or later
• Version 2021.1.x → Upgrade to 2021.1.4 (13.1.4) or later
• Version 2022.0.x → Upgrade to 2022.0.4 (14.0.4) or later
• Version 2022.1.x → Upgrade to 2022.1.5 (14.1.5) or later
• Version 2023.0.x → Upgrade to 2023.0.1 (15.0.1) or later
Additional remediation steps:
1. Review all MOVEit Transfer logs for suspicious activity, particularly unauthorized database queries or file access
2. Search for and remove any unauthorized web shells or files uploaded to the server
3. Reset all user credentials and API keys that may have been exposed
4. Conduct a thorough security audit of the database to identify any unauthorized modifications
5. If immediate patching is not possible, consider temporarily isolating the MOVEit Transfer server from the internet until patches can be applied