Moveit Transfer - SQLi (CVE-2023-34362)

Name: Moveit Transfer - SQLi (CVE-2023-34362)
Published: 2023-06-20T00:00:00.000Z

Vulnerability description: Moveit Transfer server is vulnerable to CVE-2023-34362, a SQL injection vulnerability that can be leveraged to achieve Remote Code Execution, affecting the /MOVEitISAPI/MOVEitISAPI.dll endpoint. The root cause of this vulnerability is improper sanitization of user-provided input inside the X-siLock-SessVar headers. This vulnerability allows an unauthenticated remote attacker to interact with the underlying MySQL database in order to control metadata regarding the sysadmin user which gives them access to the admin API which ultimately leads to Remote Code Execution.
Risk description: The risk exists that an unauthenticated remote attacker could leverage the SQL Injection vulnerability to gain control of the admin API in order to gain Remote Code Execution access which will result in a fully compromised server through which they could steal confidential information, install ransomware, or pivot to the internal network.
Recommendation: Update the Moveit Transfer server to one of the currently fixed versions: 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), and 2023.0.2 (15.0.2).
References: https://nvd.nist.gov/vuln/detail/CVE-2023-34362
Codename: Not available