MOVEit Transfer CVE-2023-34362: The Zero-Day That Hit Thousands

On May 31, 2023, Progress Software disclosed CVE-2023-34362, a critical SQL injection vulnerability in MOVEit Transfer, their managed file transfer (MFT) solution used by thousands of organizations worldwide. By the time the patch was available, the Cl0p ransomware gang had already been exploiting the vulnerability for weeks, exfiltrating data from hundreds of organizations including government agencies, financial institutions, healthcare providers, and critical infrastructure operators.

CVE-2023-34362 would become the single most impactful vulnerability of 2023, affecting over 2,500 organizations and exposing data belonging to more than 65 million individuals.

The Vulnerability

The vulnerability was a SQL injection flaw in MOVEit Transfer's web application. Specifically, it existed in the application's authentication handling, meaning an attacker could exploit it without any credentials.

The attack chain:

1. Unauthenticated SQL injection through the MOVEit Transfer web interface
2. The SQL injection allowed the attacker to extract database credentials and information about the MOVEit environment
3. Using the extracted information, the attacker could write a web shell (a backdoor) to the MOVEit server
4. The web shell (named human2.aspx) provided persistent access to the compromised server
5. Through the web shell, the attacker could enumerate files and folders stored in MOVEit Transfer
6. The attacker could then download any files from the MOVEit Transfer instance

The vulnerability had a CVSS score of 9.8 (Critical) — the highest possible severity range.

Technical Details

MOVEit Transfer is an ASP.NET application running on IIS with a SQL Server backend. The SQL injection vulnerability existed in the moveitisapi.dll ISAPI extension, specifically in how it handled certain HTTP requests.

The exploit leveraged the X-siLock-Transaction header and specific API endpoints to inject SQL statements. The injection allowed the attacker to:

-- Extract database information
-- Create new admin accounts
-- Write files to the web server filesystem

The web shell human2.aspx was designed to:

• Accept commands via HTTP requests
• Access the MOVEit Transfer database
• List and download files
• Exfiltrate data over HTTPS

The web shell was specifically crafted for MOVEit Transfer's environment, indicating that Cl0p had developed the exploit and tools specifically for this target.

The Cl0p Campaign

The Cl0p ransomware gang (also written as Clop) had been planning this campaign for a long time. Evidence suggests they discovered or acquired the vulnerability months before exploitation began and spent time developing and testing their exploitation tools.

Timeline

• Late 2022 / Early 2023: Cl0p likely discovers or acquires the MOVEit vulnerability
• May 27-28, 2023: Mass exploitation begins over the Memorial Day weekend (US)
• May 31, 2023: Progress Software issues a security advisory and patch
• June 1-5, 2023: Rapid patch deployment by organizations, but many are already compromised
• June 6, 2023: Cl0p begins posting victim names on their leak site
• June 7, 2023: CISA issues advisory on MOVEit vulnerability
• June-July 2023: New victims continue to be disclosed as organizations discover they were compromised

Why Memorial Day Weekend

Cl0p timed the mass exploitation for the Memorial Day weekend when many IT and security teams were operating with skeleton crews. This is a common tactic — attackers prefer to strike when response capabilities are diminished.

Why No Ransomware

Unlike typical ransomware operations, Cl0p didn't encrypt any systems in the MOVEit campaign. They focused exclusively on data theft and extortion. This was likely a tactical decision:

• Data theft is faster than encryption
• It generates less immediate alerting
• The extortion model (pay or we publish your data) doesn't require the complexity of managing decryption keys

The Scale of Impact

The MOVEit breach affected organizations across every sector:

Government agencies: Multiple US federal agencies, state governments, and international government bodies were affected. The Department of Energy, Department of Health and Human Services, and the Office of Personnel Management were among those impacted.

Financial services: Banks, insurance companies, and financial services firms that used MOVEit for secure file transfers were compromised.

Healthcare: Hospitals, health insurers, and pharmaceutical companies had patient data exposed.

Education: Universities and school districts that used MOVEit for administrative file transfers were affected.

Supply chain cascade: Many organizations were affected not because they used MOVEit directly, but because their vendors or service providers did. Payroll processors, benefits administrators, and other B2B service providers that used MOVEit exposed their clients' data.

Why MFT Applications Are High-Value Targets

Managed file transfer applications like MOVEit Transfer are attractive targets because:

1. They contain sensitive data by design — organizations use MFT specifically for transferring files that are too sensitive for email
2. They're internet-facing — MFT applications need to be accessible from outside the network
3. They're trusted — MFT systems are trusted components in data workflows, so their traffic isn't closely scrutinized
4. They're concentrated targets — compromising one MFT server gives you access to data from many different departments and partners

Lessons for the Industry

Patch Managed File Transfer Systems Immediately

MFT applications should be at the top of your patching priority list. They contain sensitive data, are internet-facing, and are high-value targets for sophisticated attackers.

Monitor MFT Logs Actively

Review MFT logs for unusual access patterns, large data transfers, and connections from unexpected IP addresses. Many organizations didn't detect the Cl0p exploitation even though the activity was visible in logs.

Segment MFT Infrastructure

MFT servers should be in isolated network segments with strict access controls. They should not have broad access to internal resources.

Have an MFT Incident Response Plan

Know how you'll respond if your MFT system is compromised. This includes identifying what data was accessible, notifying affected parties, and restoring from clean backups.

How Safeguard.sh Helps

Safeguard.sh provides the visibility needed to manage risks from infrastructure components like MOVEit:

• Vulnerability Monitoring: Safeguard.sh tracks CVEs across your entire infrastructure, including web applications and file transfer systems, alerting you immediately when critical vulnerabilities are disclosed.
• Software Inventory: Safeguard.sh maintains a comprehensive inventory of all software in your environment, so when a vulnerability like CVE-2023-34362 is disclosed, you know instantly whether you're affected.
• Supply Chain Impact Assessment: When a vendor is compromised, Safeguard.sh helps you assess the downstream impact on your organization, identifying which data and systems may have been exposed.
• Compliance Reporting: Safeguard.sh generates reports documenting your vulnerability management and response activities, supporting regulatory compliance requirements for breach notification and risk management.

The MOVEit incident was a masterclass in how modern threat actors exploit supply chain concentrations. When thousands of organizations depend on a single product for sensitive data transfer, a single vulnerability becomes a global incident.