SQL injection—or SQLi—vulnerabilities remain a persistent class of defect in commercial software products.1 Despite widespread knowledge and documentation of SQLi vulnerabilities over the past two decades, along with the availability of effective mitigations, software manufacturers have continued to develop products with this defect, which puts many customers at risk.2 CISA and the FBI are releasing this Secure by Design Alert in response to a recent well-publicized malicious threat actor campaign that exploited SQLi defects in a managed file transfer application to target and compromise users of that application—impacting thousands of organizations. CISA and the FBI urge senior executives at technology manufacturers to mount a formal review of their code to determine its susceptibility to SQLi compromises and encourage all technology customers to ask their vendors whether they have conducted such a review. If they discover their code has vulnerabilities, senior executives should ensure their organizations’ software developers immediately begin implementing mitigations to eliminate this entire class of defect from all current and future software products.3 Building security into products from the beginning can eliminate SQLi vulnerabilities.