On May 31, 2023, Progress Software disclosed CVE-2023-34362, a SQL injection flaw in MOVEit Transfer that allowed unauthenticated attackers to drop a web shell and exfiltrate every file a tenant held. By mid-June, the Cl0p ransomware gang had hit more than 200 organizations, including the U.S. Department of Energy, Shell, British Airways, the BBC, and the Oregon Department of Transportation. Payroll provider Zellis, a single upstream dependency, carried the compromise into dozens of UK enterprises in one stroke. Unlike most ransomware events, Cl0p never encrypted data; they exfiltrated it and posted victim names on a leak site. This post reconstructs the timeline from the vantage of defenders, then examines the structural failures in managed file transfer (MFT) deployments that made one bug catastrophic across the ecosystem.
What exactly is CVE-2023-34362?
CVE-2023-34362 is a SQL injection vulnerability in the MOVEit Transfer web application that attackers chained into remote code execution. The attacker sent a crafted request to the /guestaccess.aspx endpoint, used the injection to manipulate session state, and then wrote an ASP.NET web shell named human2.aspx to the IIS wwwroot. Progress assigned the bug a CVSS of 9.8. The exploit was particularly elegant because MOVEit stores encryption keys and Azure Blob Storage credentials in the same database the SQL injection touched, so the shell could decrypt uploaded files and list tenant containers without pivoting further. Patches went out on May 31, June 9 (CVE-2023-35036), and June 15 (CVE-2023-35708), each closing additional SQL injection paths discovered during incident response.
When did exploitation actually begin?
Exploitation began on May 27, 2023, four days before Progress publicly disclosed the flaw. Mandiant's telemetry shows Cl0p probes against MOVEit instances dating back to July 2021, suggesting the group had developed the primitive long before they launched the mass campaign over the U.S. Memorial Day holiday weekend. Microsoft attributed the activity to Lace Tempest (overlapping with FIN11 and TA505). Because exfiltration finished before most customers saw the advisory, patching alone was insufficient; nearly every unpatched internet-facing MOVEit instance had already been hit. CISA issued emergency directive ED-23-02 on June 7, 2023, compelling federal civilian agencies to patch within seven days.
How did a single vendor affect hundreds of organizations?
MOVEit is an MFT platform embedded deep in payroll, healthcare claims, and financial settlement workflows, so one compromised MOVEit tenant often exposed dozens of that tenant's customers. The best-studied example is Zellis, a UK payroll processor whose MOVEit instance leaked employee data for British Airways, Boots, Aer Lingus, and the BBC simultaneously. The Colorado Department of Health Care Policy and Financing reported 4 million patient records exposed through its MOVEit operator IBM. Maximus, a federal benefits contractor, disclosed 8-11 million affected individuals. This is the defining feature of fourth-party risk: your vendor's vendor becomes your incident, and contractual notification clocks start before you can identify exposure.
What made detection so difficult?
Detection was difficult because the attacker's initial traffic looked like ordinary authenticated web requests and the human2.aspx web shell mimicked legitimate MOVEit file names. Defenders relying on Progress's initial IOC list missed variants that renamed the shell or obfuscated its contents within minutes of the first public drop. Network monitoring caught the egress only if teams baselined MOVEit's normal outbound patterns; many did not, because MFT tools legitimately move large payloads to external storage. Early responders had success hunting for the string human2 in IIS logs and for .cmdline files in the MOVEit temp directory, but by late June Cl0p had rotated staging paths twice.
# Quick triage query for IIS logs
Select-String -Path "C:\inetpub\logs\LogFiles\*.log" `
-Pattern "human2\.aspx|moveitisapi|/api/v1/folders/\d+/files"
What should customers have required from Progress and their MFT suppliers?
Customers should have required, and should still require, an SBOM, vulnerability disclosure history, and a secure development attestation aligned with NIST SSDF before signing an MFT contract. MOVEit Transfer's 2022 release was built on a 2003-era design with limited input validation at the ORM layer; a SAST-driven review would likely have surfaced the injection class years before Cl0p did. Post-incident, Progress adopted stricter SDLC gates and published a roadmap for rearchitecting the affected module, but that is cold comfort for the 62 million-plus individuals eventually notified. Downstream, healthcare and finance customers that already collected third-party risk questionnaires on Progress typically had no evidence backing the "yes" checkboxes.
How does this event reshape vendor risk thinking?
The MOVEit event reshapes vendor risk thinking by proving that criticality flows through data concentration, not vendor size. Progress is a mid-cap ISV, but MOVEit sat between hundreds of enterprises and tens of millions of people. That concentration made it an ideal mass-exploitation target regardless of vendor revenue. Enterprises should now inventory every MFT, ETL, and integration broker touching regulated data, demand monthly vulnerability and patch telemetry, and pre-stage contract clauses that require breach notification within 24-48 hours of discovery, not 30 days. The NIST SP 800-161r1 practice of tiering suppliers by data sensitivity and criticality, rather than spend, would have elevated MOVEit and Zellis to top-tier scrutiny well before May 2023.
How Safeguard Helps
Safeguard indexes MOVEit Transfer and its embedded dependencies in the SBOM graph, then runs reachability analysis against the ASP.NET request pipeline that CVE-2023-34362 abused, so teams see whether the vulnerable code path is actually invoked in their deployment. Griffin AI correlates CISA KEV catalog updates, Cl0p leak-site postings, and your inventory to produce a ranked exposure list within minutes of a new disclosure. The TPRM module tracks fourth-party exposure, so a Zellis-style chain from your payroll provider surfaces automatically. Policy gates can block any CI/CD release that includes a known-exploited MOVEit version, and the continuous monitoring feed alerts when a supplier discloses a new high-severity CVE. Together, these controls compress the mean time from disclosure to containment from weeks to hours.