PatchSiren cyber security CVE debrief

CVE-2023-4766 Movus CVE debrief

CVE-2023-4766 is a critical SQL injection vulnerability affecting Movus versions before 20230913. According to NVD, the issue is remotely reachable, requires no privileges or user interaction, and is rated 9.8 CVSS. The published advisory references USOM materials and maps the weakness to CWE-89. For defenders, this is a high-priority exposure because the reported impact includes confidentiality, integrity, and availability compromise.

Vendor: Movus
Product: Unknown
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2023-09-14
Original CVE updated: 2026-05-21
Advisory published: 2023-09-14
Advisory updated: 2026-05-21

Who should care

Security teams, administrators, and operators responsible for Movus deployments should treat this as urgent, especially if any instance may be running a version earlier than 20230913. Asset owners, vulnerability management teams, and incident responders should also verify exposure and remediation status.

Technical summary

The source corpus describes an improper neutralization of special elements used in an SQL command, i.e. SQL injection, in Movus. NVD lists the vulnerable CPE as cpe:2.3:a:movus:movus:*:*:*:*:*:*:*:* with vulnerability ending before version 20230913. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a network-reachable flaw with no privileges or user interaction required and potentially severe impact across confidentiality, integrity, and availability.

Defensive priority

Critical. The combination of remote reachability, no authentication requirement, and high CIA impact makes this a top-tier remediation item for any affected Movus deployment.

Recommended defensive actions

Identify all Movus installations and verify whether any are running a version before 20230913.
Apply the vendor or distributor update that brings the deployment to 20230913 or later, or otherwise remove the affected instance from service.
Review internet-facing and internally reachable paths to Movus and restrict access until remediation is confirmed.
Check application and database logs for unusual query patterns or unexpected database activity around the exposure window.
Validate that compensating controls such as WAF rules, input validation, and least-privilege database permissions are in place, but do not treat them as a substitute for patching.
Reassess after remediation to confirm the vulnerable version is no longer present in asset inventory and configuration records.

Evidence notes

All factual claims in this debrief are drawn from the supplied NVD record and linked USOM references. The CVE was published on 2023-09-14 and later modified on 2026-05-21 in the source metadata; those dates are used only as record-timeline context. The vulnerability is described as SQL injection (CWE-89), with a vulnerable version boundary before 20230913 and a CVSS 3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Official resources

CVE-2023-4766 CVE record
CVE.org
CVE-2023-4766 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Third Party Advisory

The CVE was published in the source record on 2023-09-14. NVD later modified the record on 2026-05-21. The issue is stated to affect Movus versions before 20230913.