Progress MOVEit Transfer < 2020.1.9 / 2021.0.x < 2021.0.7 / 2021.1.x < 2021.1.5 / 2022.0.x < 2022.0.5 / 2022.1.x < 2022.1.6 / 2023.0.x < 2023.0.2 Critical Vulnerability (June 2023)

critical Nessus Plugin ID 177082


An application installed on the remote host is affected by multiple vulnerabilities.


The version of Progress MOVEit Transfer, formerly Ipswitch MOVEit DMZ, installed on the remote host is prior to 2020.1.9, 2021.0.7, 2021.1.5, 2022.0.5, 2022.1.6, or 2023.0.2. It is, therefore, affected by a SQL injection vulnerability as referenced in Progress Community article 000234899.

- Multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an un-authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.


Upgrade to Progress MOVEit Transfer version 2020.1.9, 2021.0.7, 2021.1.5, 2022.0.5, 2022.1.6, 2023.0.2, or later.

See Also

Plugin Details

Severity: Critical

ID: 177082

File Name: progress_moveit_transfer_15_0_2_39.nasl

Version: 1.3

Type: local

Agent: windows

Family: Windows

Published: 6/9/2023

Updated: 6/17/2023

Supported Sensors: Nessus Agent

Risk Information

CVSS Score Rationale: Score based on analysis of the vendor advisory.


Risk Factor: Medium

Score: 6.0


Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: manual


Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:ipswitch:moveit_dmz, cpe:/a:ipswitch:moveit_transfer, cpe:/a:progress:moveit_transfer

Patch Publication Date: 6/9/2023

Vulnerability Publication Date: 6/9/2023

Reference Information

CVE: CVE-2023-35036