CISA and the FBI released a joint Secure by Design Alert, Eliminating SQL Injection Vulnerabilities in Software. The alert came in response to a recent exploitation of SQL injection in a managed file transfer application (MOVEit) that affected thousands of organizations. Although the alert is targeted toward software manufacturers, it provides useful information on what SQL injection is and highlights the prevalence of this class of vulnerability.

Software manufacturers continue to develop products with SQLi defects despite widespread knowledge and documentation of these vulnerabilities over the past two decades. Members should be aware that SQL injection is still an active risk and be diligent in vetting the types of software they use. Access the full joint alert here.

For additional information on SQL injection, see this WaterISAC previously shared resource:
Threat Awareness – Website Injection Attacks Remain a Complex Threat to Organizations