CVE-2023-35708

ENISA EUVD: EUVD-2023-39707 ↗

✓ Confirmed 0-Day

Triaged: March 20, 2026 1 article Published: 2023-06-16

VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗

EPSS Score

Source: FIRST.org · 2026-05-23

76.74%

probability

This CVE has a 76.74% probability of being exploited in the next 30 days.

0% Top 99.0th percentile of all CVEs 100%

CVSS v3.1

Source: NVD

9.8

CRITICAL

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

VulnerabilityLookup (CNA)

In Progress MOVEit Transfer before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content. These are fixed versions of the DLL drop-in: 2020.1.10 (12.1.10), 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3).

Affected Products

n/a

progress

moveit transfer

n/a

Attack Intelligence

CWE-707 · Improper Neutralization CWE-74 · Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-89 · SQL Injection CWE-943 · Improper Neutralization of Special Elements in Data Query Logic

https://www.cisa.gov/news-events/alerts/2023/06/15/progress-software-releases-security-advisory-moveit-transfer-vulnerability

https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-15June2023

https://www.progress.com/security/moveit-transfer-and-moveit-cloud-vulnerability

Signal Intelligence

Confidenceⓘ

75%

EPSS 76.74%

CVSS v3.1 9.8

Mentions 1

CNA Information

CNA Assigner

mitre

Analyst Note

CVE-2023-35708 is a MOVEit Transfer SQL injection vulnerability disclosed by Progress Software in 2023 during active Cl0p ransomware exploitation campaign. The CVE was disclosed as part of an actively exploited vulnerability cluster (MOVEit zero-days), and the article explicitly contextualizes it within the Cl0p mass attack, indicating exploitation in the wild coinciding with or preceding vendor disclosure.

Threat Actors 6

Hacking Team

apt_group 🇮🇹 IT

Volt Typhoon

apt_group Information theft and espionage 🇨🇳 CN

APT 22

apt_group Information theft and espionage 🇨🇳 CN

APT 6

apt_group Information theft and espionage 🇨🇳 CN

Mana Team

apt_group 🇨🇳 CN

APT 5

apt_group Information theft and espionage 🇨🇳 CN

Triage Info

Decided atMar 20, 2026

Published DateJun 16, 2023