CVE-2023-34362 is a SQL injection vulnerability in Progress MOVEit Transfer, the widely used managed file transfer product, rated CVSS v3.1 9.8 (Critical). An unauthenticated attacker could inject SQL against the web application, infer and manipulate database contents, and — chained with the product's own logic — deploy a web shell that enabled data theft and command execution. It is the flaw the Cl0p ransomware group weaponized to breach thousands of organizations in one of the largest mass-exploitation campaigns on record.
Timeline and impact
Progress Software disclosed the vulnerability and released patches on May 31, 2023. By then it was already being exploited as a zero-day: investigators later placed the earliest activity days before disclosure, in late May 2023. Cl0p exploited it at scale, dropping a web shell tracked as LEMURLOOT (commonly seen as human2.aspx) to exfiltrate files from MOVEit instances. Because MOVEit Transfer is used by enterprises, government agencies, and — critically — third-party service providers who move data on behalf of many downstream clients, a single compromised MOVEit instance often exposed dozens of organizations. The victim count grew for months as the transitive, service-provider nature of the breach became clear.
The incident became the defining example of managed-file-transfer software as a supply-chain risk. These products sit at the boundary of an organization, are internet-facing by design, and hold exactly the sensitive data attackers want. The lasting lesson is that internet-exposed data-handling applications must be patched on an emergency timeline, and that you cannot reason about your exposure to a breach like this without knowing which of your vendors and services run the affected product.
Technical root cause
The vulnerability lived in the MOVEit Transfer web application, where user-influenced input reached a database query without sufficient sanitization or parameterization. That allowed an unauthenticated attacker to inject SQL statements, which — depending on the backend engine (Microsoft SQL Server, MySQL, or Azure SQL) — let them read and alter database contents and drive the follow-on steps that planted a web shell.
The root cause is the oldest one in web security: concatenating untrusted input into SQL instead of using parameterized queries. The unsafe pattern that classes of bugs like this stem from looks like this:
// UNSAFE: untrusted input concatenated into the query text
var sql = "SELECT * FROM users WHERE name = '" + userInput + "'";
db.Execute(sql);
The safe pattern binds input as a parameter so it can never be parsed as SQL syntax:
// SAFE: input is bound as a parameter, never interpreted as SQL
var sql = "SELECT * FROM users WHERE name = @name";
db.Execute(sql, new { name = userInput });
Because the injection point was reachable pre-authentication on an internet-facing endpoint, and because it could be chained to write files the application would later serve and execute, a classic injection turned into remote data theft and code execution at scale.
Progress's fix corrected the vulnerable query handling so attacker-controlled input can no longer be interpreted as SQL.
How to detect if you are affected
- Identify the product and version. The fix shipped in MOVEit Transfer 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1). Any earlier build of those lines is vulnerable.
- Hunt for the web shell. Progress and incident responders published indicators: the presence of
human2.aspx(or similarly named files) in the MOVEitwwwrootdirectory, unexpected new administrator or service accounts, and large outbound transfers. - Review web and database logs for anomalous queries and for access to the injection endpoints around and before May 31, 2023.
Where a MOVEit-style web application runs inside a container image, Safeguard's container security scanning inventories the shipped application version so a lagging build is flagged in the pipeline rather than trusted in production.
Remediation and patched versions
- Upgrade to a patched build — 2021.0.6, 2021.1.4, 2022.0.4, 2022.1.5, or 2023.0.1 (or later) — matching your MOVEit line. Progress released these on an emergency timeline precisely because active exploitation was underway.
- Assume compromise on any instance that was internet-exposed and unpatched. Patching does not remove an existing web shell or exfiltrated data. Follow Progress's containment guidance: hunt for
human2.aspxand other artifacts, remove them, rotate all MOVEit credentials and keys, and review accounts for attacker-created access. - Reduce exposure. Restrict inbound access to the MOVEit web interface, put it behind authenticated gateways where feasible, and monitor the endpoints and file paths named above.
- Assess third-party exposure. Because service providers were breached, map which of your vendors handle your data via MOVEit and confirm their remediation.
How Safeguard surfaces and helps you respond to MOVEit
CVE-2023-34362 is a product vulnerability, but everything painful about it was a supply-chain-visibility problem: organizations struggled to answer "do we — or our vendors — run MOVEit, and is it patched?" fast enough to matter. Safeguard is built to make that answerable. Findings are enriched with CISA KEV and EPSS signals so an actively mass-exploited, internet-facing flaw is pushed to the top of the queue rather than sorted by raw score, and continuous inventory turns "where does this run?" into a query. Where the affected workloads are containerized, software composition analysis resolves the shipped versions across your images, and the Safeguard CLI lets you gate a vulnerable build in CI before it deploys.
For the code and images you build, automated fix pull requests drive the version bump and rebuild through your pipeline, and Griffin AI captures the reality MOVEit made unforgettable — that patching without hunting for the web shell and rotating credentials leaves the door open. If you want to compare exploit-aware prioritization with a score-only scanner, our side-by-side comparison walks through it on critical, actively exploited findings.
A textbook SQL injection became a global data-theft event because it sat on an internet-facing product few teams had a fast inventory of. Continuous visibility plus emergency patching is the entire defense.
Get started at app.safeguard.sh/register, or read the documentation at docs.safeguard.sh.