Safeguard
Vulnerability Analysis

MOVEit Transfer SQL injection mass-exploitation (CVE-2023-34362)

CVE-2023-34362, the MOVEit Transfer SQL injection exploited by Cl0p, hit 2,600+ organizations. Impact, timeline, and remediation steps inside.

Karan Patel
Security Analyst
7 min read

In late May 2023, attackers began mass-exploiting a previously unknown SQL injection vulnerability in Progress Software's MOVEit Transfer, a widely deployed managed file transfer (MFT) platform used by enterprises and government agencies to move sensitive data between systems. The flaw, tracked as CVE-2023-34362, allowed unauthenticated attackers to inject SQL commands into the MOVEit Transfer web application, escalate to remote code execution, and drop a custom web shell to exfiltrate data directly from customer databases. The Cl0p ransomware and extortion group weaponized the bug days before a patch existed, running one of the largest single-vulnerability data-theft campaigns on record — ultimately affecting more than 2,600 organizations and an estimated 60+ million individuals, including federal agencies, payroll providers, airlines, and universities. This post breaks down what the vulnerability is, who it hit, how the exploitation timeline unfolded, and what remediation and detection steps security teams should have already validated in their own environments.

What is CVE-2023-34362?

CVE-2023-34362 is a SQL injection vulnerability in Progress Software's MOVEit Transfer application, present in the web-based management interface. Improper input validation allowed an unauthenticated, remote attacker to send specially crafted HTTP requests to the MOVEit Transfer front end, injecting SQL that was executed against the application's backend database (SQL Server, MySQL, or Azure SQL, depending on deployment).

Because MOVEit Transfer's database layer has broad privileges within the application, the SQL injection was not just a data-disclosure bug — it was a full compromise chain. Attackers used the injection to:

  • Enumerate and extract database contents, including stored files and credentials
  • Escalate privileges within the application
  • Write a custom ASPX web shell (commonly observed as human2.aspx or similarly named files) into the MOVEit Transfer web root
  • Use that web shell to browse, download, and exfiltrate files uploaded by MOVEit customers, and in some cases to further pivot into connected systems

The exploitation was not opportunistic scanning — it was executed by Cl0p (also tracked as TA505/FIN11-linked activity) as a deliberate, pre-planned mass-exploitation campaign against a zero-day, with automated tooling that hit thousands of internet-facing MOVEit instances within a matter of days.

Affected versions and components

CVE-2023-34362 affects all supported and unsupported versions of MOVEit Transfer prior to the patched releases issued by Progress Software on May 31, 2023. The affected component is the MOVEit Transfer web application itself (not the separate MOVEit Automation product, though related advisories followed for other MOVEit components).

Progress Software's initial fix covered:

  • MOVEit Transfer 2021.0 (13.0), fixed in 13.0.8
  • MOVEit Transfer 2021.1 (13.1), fixed in 13.1.6
  • MOVEit Transfer 2022.0 (14.0), fixed in 14.0.6
  • MOVEit Transfer 2022.1 (14.1), fixed in 14.1.7
  • MOVEit Transfer 2023.0 (15.0), fixed in 15.0.2

Notably, the initial patch did not close the whole class of vulnerabilities. Follow-on code review by Progress, Huntress, and Rapid7 surfaced additional, related SQL injection flaws in the same codebase — CVE-2023-35036 (disclosed June 9, 2023) and CVE-2023-35708 (disclosed June 15, 2023) — requiring organizations to apply a second and third round of patches. Any environment that stopped at the May 31 patch and did not continue applying updates through mid-June 2023 remained exposed to a variant of the same underlying weakness class.

CVSS, EPSS, and KEV status

  • CVSS v3.1 Base Score: 9.8 (Critical) — reflecting network-exploitable, no authentication required, no user interaction, and high impact to confidentiality, integrity, and availability.
  • EPSS: given real-world mass exploitation before and during disclosure, EPSS scoring for CVE-2023-34362 sat in the highest percentile bands (exploitation probability near-certain) for the months following disclosure — a strong signal that severity scoring alone understated urgency; this was actively, not theoretically, exploited.
  • CISA KEV: added to the CISA Known Exploited Vulnerabilities catalog on June 2, 2023, with federal civilian agencies given a compressed remediation deadline under Binding Operational Directive 22-01, underscoring that this was treated as an active-incident-level vulnerability rather than a routine patch cycle.

The combination of a critical CVSS score, confirmed KEV listing, and evidence of exploitation prior to public disclosure makes this one of the clearest examples of why patch prioritization frameworks should weight exploitation evidence and KEV membership more heavily than CVSS alone.

Timeline

  • ~May 27, 2023 (Memorial Day weekend, US): Cl0p begins mass-exploiting the then-unknown SQL injection flaw against internet-facing MOVEit Transfer instances, deploying web shells and beginning data exfiltration before any public advisory exists.
  • May 31, 2023: Progress Software publishes a security advisory for CVE-2023-34362 and releases patches for all affected MOVEit Transfer versions. Organizations are urged to take instances offline immediately if they cannot patch right away.
  • June 2, 2023: CISA adds CVE-2023-34362 to the KEV catalog. Cl0p publicly claims responsibility for the campaign via its dark web leak site.
  • Early-mid June 2023: Victim disclosures accelerate. Organizations including the U.S. Department of Energy, Shell, British Airways, the BBC, and payroll provider Zellis (impacting downstream customers) confirm exposure.
  • June 9, 2023: Progress discloses CVE-2023-35036, a second SQL injection vulnerability found during post-incident code review, with an accompanying patch.
  • June 15, 2023: Progress discloses CVE-2023-35708, a third related SQL injection, again with a patch — closing out the immediate patch cycle roughly three weeks after initial exploitation began.
  • Through late 2023: Cl0p continues to list and extort victim organizations, with cumulative victim counts climbing past 2,600 organizations and tens of millions of affected individuals, making this one of the largest breach events tied to a single vulnerability.

Remediation steps

Security and IT teams operating MOVEit Transfer — or assessing legacy exposure from this campaign — should validate the following:

  1. Patch to current, fully updated versions. Applying only the May 31 patch is insufficient; ensure versions also incorporate the June 9 and June 15 fixes for CVE-2023-35036 and CVE-2023-35708. Confirm against Progress Software's published version matrix, not just "patched around June 2023."
  2. Hunt for indicators of compromise, even on systems patched late. Look for unexpected .aspx files in the MOVEit web root and wwwroot directories (commonly named to resemble legitimate files, e.g., variants of human2.aspx), unusual IIS worker process activity, and unexplained entries in MOVEit's own audit/transfer logs.
  3. Review network and file transfer logs for the exploitation window. Pay particular attention to activity in the days around and after May 27, 2023, including unexpected outbound connections and large or unusual file downloads from the MOVEit web root.
  4. Rotate credentials and secrets. Any service accounts, API keys, or database credentials accessible to or stored within MOVEit Transfer should be rotated, given the SQL injection's ability to read database contents wholesale.
  5. Restrict and monitor external exposure. Where MOVEit Transfer does not need to be internet-facing, place it behind VPN or zero-trust access controls, and apply strict egress filtering and WAF rules as defense-in-depth even after patching.
  6. Assume downstream exposure if you are a customer of an affected third party. Because many victims were exposed via vendors (payroll processors, benefits administrators, government contractors) rather than direct MOVEit ownership, organizations should check vendor breach notifications and map their own third-party MOVEit exposure via SBOM or vendor risk questionnaires.
  7. If compromise is confirmed, engage incident response and legal/notification workflows immediately, given the high likelihood of data exfiltration and Cl0p's established pattern of extortion-driven public disclosure.

How Safeguard Helps

Mass-exploitation events like MOVEit underscore why static CVSS scores and generic vulnerability feeds aren't enough — teams need to know whether a vulnerable component is actually deployed, internet-reachable, and load-bearing in their environment before they can prioritize with confidence. Safeguard's reachability analysis pinpoints whether vulnerable code paths in components like MOVEit Transfer are actually invoked in your running services, cutting through noise so teams aren't chasing every CVE with equal urgency. Griffin AI continuously correlates KEV listings, EPSS trajectory, and exploitation intelligence against your live software inventory, surfacing critical, actively-exploited issues like CVE-2023-34362 the moment they're relevant to your stack rather than days into a mass-exploitation event. Safeguard's SBOM generation and ingest capabilities give security teams a real-time, queryable record of every third-party and vendor component in use, so when the next MOVEit-style advisory drops, "are we exposed, and where" is a search, not a scramble. And where a fix is available, Safeguard can open auto-fix pull requests that bump affected dependencies to patched versions, shrinking the gap between advisory and remediation from weeks to hours.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.