CVE-2023-34362

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on June 2, 2023 with a remediation deadline of June 23, 2023. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2023-34362 is a critical SQL injection vulnerability in Progress MOVEit Transfer, a widely-used managed file transfer (MFT) platform. Unauthenticated attackers can inject SQL through the MOVEit Transfer web application, gaining access to the underlying database and enabling unauthorized file access, credential extraction, and persistent webshell deployment. The vulnerability was exploited as a zero-day by the Cl0p ransomware group (TA505) in a coordinated mass exploitation campaign over the 2023 Memorial Day weekend, ultimately affecting over 2,500 organizations and exposing data on an estimated 66–100 million individuals — one of the largest data breach campaigns in history.

What Is MOVEit Transfer?

MOVEit Transfer (formerly by Ipswitch, acquired by Progress Software) is an enterprise managed file transfer platform used by governments, healthcare systems, financial institutions, and large corporations to securely exchange files. It is particularly prevalent in regulated industries (healthcare, finance, government) where secure file transfer is a compliance requirement — making it a high-value target for threat actors seeking large caches of sensitive data. MOVEit Transfer exposes a web interface, automation API, and SFTP interface, with the web application being the vector for this vulnerability.

Affected Versions

MOVEit Transfer Version	Status
2023.0.0 (15.0)	Vulnerable — fixed in 2023.0.1
2022.1.x (14.1)	Vulnerable — fixed in 2022.1.5
2022.0.x (14.0)	Vulnerable — fixed in 2022.0.4
2021.1.x (13.1)	Vulnerable — fixed in 2021.1.4
2021.0.x (13.0)	Vulnerable — fixed in 2021.0.6
Older versions	Vulnerable — upgrade required

MOVEit Cloud (SaaS) was patched by Progress Software directly. On-premises deployments required manual patching.

Technical Details

Root Cause: SQL Injection in the MOVEit Web Application

The MOVEit Transfer web application contains SQL injection vulnerabilities in HTTP request handlers. Unauthenticated attackers can submit crafted HTTP requests (GET or POST) to the MOVEit web application that inject SQL commands into database queries, executing against the backend database (Microsoft SQL Server, MySQL, or Azure SQL depending on deployment).

The specific injection points were not fully detailed in initial advisories to avoid enabling additional exploitation, but the vulnerability class is standard SQL injection: user-supplied input is incorporated into SQL queries without sufficient parameterization or sanitization, allowing attackers to:

Read arbitrary database contents — including file transfer metadata, user credentials (hashed), and session information
Create unauthorized administrative users — inserting rogue accounts into the MOVEit user tables
Access stored files — querying the database for file storage paths and reading transferred files
Deploy webshells (LEMURLOOT) — Cl0p's campaign deployed a custom ASP.NET webshell named LEMURLOOT to maintain persistent access after the SQL injection phase

The LEMURLOOT Webshell

Cl0p's tooling deployed a custom webshell with the filename human2.aspx (designed to blend in with MOVEit's human.aspx interface). LEMURLOOT:

Authenticated via a hardcoded password to prevent access by other threat actors
Enabled file listing, download, and upload via HTTP
Exfiltrated the moveitsys service account credentials
Provided persistent access even after SQL injection was patched (required webshell removal as a separate remediation step)

Cl0p's Operational Pattern

Cl0p's Memorial Day weekend exploitation demonstrated a sophisticated pre-positioned attack:

Pre-exploitation reconnaissance — Cl0p likely identified vulnerable MOVEit instances weeks or months in advance
Mass exploitation in a tight window — Exploitation over a ~3-day holiday weekend maximized the window before detection and response
Pure extortion (no encryption) — Unlike traditional ransomware, Cl0p did not encrypt victim systems; they exfiltrated data and threatened publication to compel ransom payment
Victim notification via leak site — Cl0p listed organization names and set a July 14 deadline for payment before publishing data

Attack Characteristics

Attribute	Detail
Attack Vector	Network — MOVEit Transfer web interface (HTTP/HTTPS)
Authentication Required	None — unauthenticated SQL injection
Exploitation Complexity	Low — standard SQL injection
Persistence Mechanism	LEMURLOOT webshell (`human2.aspx`)
Ransomware Behavior	Data extortion (no encryption) — Cl0p's "Cl0p^_-" leak site

Discovery

Progress Software was notified of active exploitation on May 31, 2023 — after Cl0p had already spent three days exploiting instances across the internet. The vulnerability's discovery and weaponization by Cl0p was independent of any public researcher disclosure. Mandiant later assessed that Cl0p had been testing and developing the exploit since at least 2021, with earlier probing activity detected against MOVEit instances. CVE-2023-34362 was published on June 2, 2023, the same day CISA added it to the KEV catalog and issued joint advisory AA23-158A with the FBI.

Exploitation Context

The MOVEit campaign was among the most impactful extortion campaigns ever conducted:

2,500+ organizations breached (final count by late 2023)
66–100 million individuals with data exposed — including U.S. federal employees
U.S. government agencies: Department of Energy, Department of Agriculture, Office of Personnel Management contractors, and others
Major organizations: BBC, British Airways, Shell, Siemens Energy, Schneider Electric, UCLA, Johns Hopkins University, Colgate-Palmolive, and many more
Healthcare sector: Multiple hospital systems and health insurers; millions of patient records exposed
State government data: Missouri, Colorado, Oregon, Louisiana, and others had citizen data exposed
No encryption, just extortion: Cl0p's approach of pure data theft without system disruption meant many victims discovered the breach only when Cl0p published their names

Two additional MOVEit Transfer vulnerabilities were disclosed and patched in the weeks following: CVE-2023-35036 (June 15) and CVE-2023-35708 (June 23).

Remediation

CISA BOD 22-01 Deadline: June 23, 2023. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Recommended Actions

Apply the emergency patch from Progress Software immediately. Also apply patches for CVE-2023-35036 and CVE-2023-35708. Verify your MOVEit Transfer version against the fixed version table above.
Hunt for LEMURLOOT webshell — search for human2.aspx and any unexpected .aspx files in the MOVEit web root:
```
C:\MOVEitTransfer\wwwroot\
```
Delete any unauthorized files found. Also review IIS application pool identities for unexpected additions.
Audit for unauthorized admin accounts — review the MOVEit user database for accounts created after May 27, 2023 that are not recognized. Cl0p created admin accounts to maintain access.
Review all file transfers since May 27, 2023 — audit the MOVEit Transfer database and logs for unexpected file downloads, particularly bulk downloads of files the requesting account should not have accessed.
Rotate credentials — the moveitsys service account credentials and any database credentials stored in MOVEit configuration files should be considered compromised and rotated.
Restrict network access — MOVEit Transfer's web interface (ports 80/443) and SFTP (port 22) should only be accessible from known, authorized IP ranges. Consider placing behind a VPN for non-public file transfer use cases.
Engage incident response if exploitation is suspected — Cl0p's webshell persists independently of patching. Patching the SQL injection does not remove webshells or unauthorized accounts already created.

Property	Value
CVE ID	CVE-2023-34362
Vendor / Product	Progress — MOVEit Transfer
NVD Published	2023-06-02
NVD Last Modified	2025-10-27
CVSS 3.1 Score	9.8
CVSS 3.1 Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
Severity	CRITICAL
CWE	CWE-89 — Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)
CISA KEV Added	2023-06-02
CISA KEV Deadline	2023-06-23
Known Ransomware Use	⚠️ Yes

Date	Event
2023-05-27	Cl0p begins mass exploitation of MOVEit Transfer instances over the Memorial Day weekend
2023-05-31	Progress Software notified of active exploitation; begins incident response
2023-06-01	Progress Software releases emergency patch and advisory
2023-06-02	CVE-2023-34362 published; CISA KEV added same day; CISA/FBI joint advisory AA23-158A released
2023-06-06	Cl0p claims responsibility and begins threatening to publish stolen data; sets July 14 extortion deadline
2023-06-15	Second MOVEit vulnerability CVE-2023-35036 patched
2023-06-23	CISA BOD 22-01 remediation deadline; third vulnerability CVE-2023-35708 patched
2023-07-14	Cl0p begins publishing victim names on leak site
2023-08-01	Breach count exceeds 600 organizations; 40+ million individuals affected

Resource	Type
NVD — CVE-2023-34362	Vulnerability Database
CISA KEV Catalog Entry	US Government
Progress Software Security Center — MOVEit Transfer Advisory	Vendor Advisory
CISA Advisory AA23-158A — #StopRansomware: CL0P Ransomware Gang Exploiting MOVEit Transfer	US Government
CVE-2023-34362 PoC — Horizon3.ai	Security Research
BleepingComputer: Cl0p Ransomware Claims Responsibility for MOVEit Attacks	Security Research
Tenable: CVE-2023-34362 MOVEit Transfer Zero-Day Analysis	Security Research
Security Affairs: MOVEit Transfer Zero-Day Cl0p Campaign	Security Research
CWE-89 — Improper Neutralization of Special Elements used in an SQL Command	Weakness Classification