CVE-2017-6195

moderate-risk
Published 2017-05-18

Ipswitch MOVEit Transfer (formerly DMZ) allows pre-authentication blind SQL injection. The fixed versions are MOVEit Transfer 2017 9.0.0.201, MOVEit DMZ 8.3.0.30, and MOVEit DMZ 8.2.0.20.

Do I need to act?

-
0.04% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (4)

Moveit Dmz
Moveit Dmz
Moveit Transfer 2017
Moveit Dmz

Affected Vendors

Ipswitch

References (4)

Patch http://ft.ipswitch.com/rs/751-HBN-596/images/Ipswitch-Security-Bulletin-FT-Vulne...
Third Party Advisory https://www.siberas.de/assets/papers/ssa-1705_IPSWITCH_SQLinjection.txt
Patch http://ft.ipswitch.com/rs/751-HBN-596/images/Ipswitch-Security-Bulletin-FT-Vulne...
Third Party Advisory https://www.siberas.de/assets/papers/ssa-1705_IPSWITCH_SQLinjection.txt
42
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 0/34 · Minimal
Exposure 10/34 · Low