CVE-2023-36934

CRITICAL EXPLOITED NUCLEI

Progress Moveit Transfer < 12.1.11 - SQL Injection

Title source: rule

Description

In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content.

Nuclei Templates (1)

MOVEit Transfer - SQL Injection

CRITICALVERIFIEDby rootxharsh,iamnoooob,pdresearch

Shodan: http.favicon.hash:989289239

FOFA: icon_hash=989289239

References (2)

[Patch, Release Notes, Third Party Advisory] https://community.progress.com/s/article/MOVEit-Transfer-2020-1-Service-Pack-July-2023

[Product] https://www.progress.com/moveit

Scores

CVSS v3 9.1

EPSS 0.9121

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Details

VulnCheck KEV 2023-12-04

CWE

CWE-89

Status published

Products (1)

progress/moveit_transfer < 12.1.11

Published Jul 05, 2023

Tracked Since Feb 18, 2026