CVE-2023-35036

CRITICAL EXPLOITED RANSOMWARE

Progress MOVEit Transfer < 2021.0.7, 2021.1.5, 2022.0.5, 2022.1.6, 2023.0.2 - Unauthenticated SQL Injection

Title source: llm

Exploitation Summary

CVE-2023-35036 has been observed exploited in the wild (reported by VulnCheck KEV), including in ransomware campaigns.

Description

In Progress MOVEit Transfer before 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), and 2023.0.2 (15.0.2), SQL injection vulnerabilities have been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content.

References (2)

Core 2

Core References

Third Party Advisory

https://archive.is/58ty7

Vendor Advisory

https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-CVE-2023-35036-June-9-2023

Scores

CVSS v3 9.1

EPSS 0.3426

EPSS Percentile 97.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2023-06-03

Ransomware Use Confirmed

CWE

CWE-89

Status published

Products (1)

progress/moveit_transfer < 2021.0.7

Published Jun 12, 2023

Tracked Since Feb 18, 2026