MOVEit Security Bulletin – March 2017
All MOVEit® Transfer (DMZ) versions
An attacker could bypass protection mechanisms in order to read or modify confidential data.
A pre-authentication blind SQL injection vulnerability was discovered in the MOVEit® Transfer (DMZ) software. Ipswitch has determined the vulnerability can be exploited and customers should upgrade at their earliest convenience. Ipswitch does not intend to provide vulnerability details that could facilitate an exploit.
To address this problem, Ipswitch strongly recommends performing an upgrade to a fixed version in the list below.
MOVEit Transfer 2017 (9.0) —> MOVEit Transfer 2017 (220.127.116.11)
MOVEit DMZ 8.3 —> MOVEit DMZ 18.104.22.168
MOVEit DMZ 8.1 —> MOVEit DMZ 22.214.171.124
All customers on a current maintenance agreement can access the upgrade by logging into the Ipswitch Community – https://community.ipswitch.com.
If you are running an earlier version than MOVEit DMZ 8.1 or if you are not currently covered by an existing support agreement:
Get in contact immediately on firstname.lastname@example.org.