The FBI and CISA want to lead a major crackdown on SQL vulnerabilities

News
By published

Software developers urged to change their approach to coding

Hacker
Image Credit: Geralt / Pixabay (Image credit: Image Credit: Geralt / Pixabay)

Despite being well-documented for some time now, and considered an “unforgivable” mishap, SQL Injection (SQLi) vulnerabilities remain “a persistent class of defect in commercial software products,” a new report from the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) has declared.

In the paper, the two US government agencies are urging commercial software builders to “mount a formal review of their code” to establish whether or not it is susceptible to SQLi. 

Users are advised to push their vendors to run such reviews. 

Bypassing 2FA

“If they discover their code has vulnerabilities, senior executives should ensure their organizations’ software developers immediately begin implementing mitigations to eliminate this entire class of defect from all current and future software products,” the two firms said.

SQL injection is a type of attack in which a hacker can “inject” malicious queries into an SQL command, resulting in the execution of arbitrary queries. As a result, threat actors could access sensitive data, and even take over vulnerable systems.

This type of vulnerability stems from the “co-mingling of database queries and user-supplied data,” the two organizations explained. To mitigate the threat, organizations should use parameterized queries with prepared statements, as this approach separates SQL code from user data. 

SQLi vulnerabilities were the third most dangerous software vulnerability between 2021 and 2022 according to MITRE, BleepingComputer reported in its writeup.

"Incorporating this mitigation at the outset—beginning in the design phase and continuing through development, release, and updates—reduces the burden of cybersecurity on customers and risk to the public."

CISA and the FBI said they released Secure by Design Alert “in response to a recent well-publicized malicious threat actor campaign that exploited SQLi defects in a managed file transfer application to target and compromise users of that application—impacting thousands of organizations,” referring to last year’s Cl0p campaign that started with a vulnerability in MOVEit.

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Avast cybersecurity
Hackers are hijacking government software to access sensitive servers
A person at a laptop with a cybersecure lock symbol floating above it.
Hackers are still using old Ivanti bugs to break into networks
API
Businesses are being plagued by API security risks - with nearly 99% affected
A digital themed isometric showing a neon padlock in the foreground, and a technological diagram of a processor logic board in the background.
CISA tells agencies to patch BeyondTrust bug now
Flag of the People's Republic of China overlaid with a technological network of wires and circuits.
One of the biggest flaws exploited by Salt Typhoon hackers has had a patch available for years
A person using a laptop on a table.
Microsoft warns hackers have a new and devious way of distributing malware
Latest in Security
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple routers hit by new critical severity remote command injection vulnerability, with no fix in sight
Code Skull
This dangerous new ransomware is hitting Windows, ARM, ESXi systems
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
Latest in News
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
NetSuite EVP Evan Goldberg at SuiteConnect London 2025
"It's our job to deliver constant innovation” - NetSuite head on why it wants to be the operating system for your whole business
Monster Hunter Wilds
Monster Hunter Wilds Title Update 1 launches in early April, adding new monsters and some of the best-looking armor sets I need to add to my collection
Zotac Gaming RTX 5090 Graphics Card
Nvidia Blackwell stock woes are compounded by price hikes as more RTX 5090 GPUs soar in pricing, and I’m sick and tired of it all at this point
More about security
cybersecurity

Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak

A major Keenetic router data leak could put a million households at risk
Branch office chairs next to a TechRadar-branded badge that reads Big Savings.

This office chair deal wins the Amazon Spring Sale for me and it's so good I don't expect it to last
See more latest
Most Popular
NetSuite EVP Evan Goldberg at SuiteConnect London 2025
"It's our job to deliver constant innovation” - NetSuite head on why it wants to be the operating system for your whole business
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
Monster Hunter Wilds
Monster Hunter Wilds Title Update 1 launches in early April, adding new monsters and some of the best-looking armor sets I need to add to my collection
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Sony WF-C710N in blue glass on beige background
Sony WF-C710 earbuds land, and I think they'll be the 2025 budget buds to beat
The RIG M2 Streamstar attached to a boom arm.
The RIG M2 Streamstar has the world's first Bluetooth audio gateway in a wired gaming microphone
Four operators survey Verdansk. One holds a sniper rifle, one binoculars, another holds is landing with their parachute, while the last wears a skull mask
New Call of Duty: Warzone trailer shows a beautiful rebuilt Verdansk, but some fans want more: 'it won't be the same unfortunately'
Data leak
A major Keenetic router data leak could put a million households at risk