Back to blog
MOVEitCVE-2023-34362SQL injectionCl0pransomwarefile transfer

MOVEit CVE-2023-34362: The SQL Injection That Compromised Thousands of Companies

CVE-2023-34362 is a critical SQL injection in MOVEit Transfer exploited by the Cl0p gang. Analysis of the attack, victims and security hardening measures.

April 23, 20263 min read

In May–June 2023, the Cl0p ransomware gang launched one of the most massive exploitation campaigns in recent history. The target: MOVEit Transfer, a secure file transfer solution used by thousands of companies worldwide. The vulnerability: CVE-2023-34362, a SQL injection enabling complete data exfiltration.

What is MOVEit Transfer?

MOVEit Transfer (vendor: Progress Software) is a secure file exchange solution used in critical sectors: healthcare, finance, government, and industry. Millions of sensitive files — patient data, financial information, personal records — flow through these servers daily.

CVE-2023-34362: The Critical SQL Injection

Mechanism

CVE-2023-34362 is a SQL injection in MOVEit Transfer's web interface. An unauthenticated attacker can send specially crafted HTTP requests to inject SQL commands into the database, enabling them to:

  1. Create fake admin accounts
  2. List all files stored on the server
  3. Download all files without authentication
  4. Delete data to cover their tracks

CVSS Score: 9.8 (Critical)
Published: May 31, 2023 (exploited at scale from May 27)
Affected versions: MOVEit Transfer and MOVEit Cloud (all versions before the patch)

Mass Exploitation

Cl0p was exploiting CVE-2023-34362 from May 27, 2023 — the US Memorial Day weekend, a strategic moment when security teams are reduced. Within days:

  • Thousands of MOVEit servers scanned and exploited
  • No ransomware deployed — pure data exfiltration followed by ransom demands to prevent publication

The Scale of Victims

The list of affected organizations is staggering:

Governments and public sector:

  • US States: Oregon, Louisiana, Missouri — driver's license data for millions of citizens
  • Office of Personnel Management (US) — federal employee data
  • BBC, British Airways, Boots (via Zellis, HR provider)

Finance and insurance:

  • Genworth Financial (~2.7 million customers)
  • Teachers Insurance and Annuity Association (TIAA)
  • Pension Benefit Information

Healthcare:

  • Maximus (~8–11 million people)
  • Colorado HCPF (~4 million Medicaid recipients)
  • Johns Hopkins Medicine

Education:

  • Thousands of universities through shared vendors

Global estimated figures:

  • 2,600+ organizations confirmed affected
  • 77 million+ people whose data was compromised
  • Over $1 billion in estimated costs

CVE-2023-35036 and CVE-2023-35708: The Follow-Ups

Progress Software subsequently disclosed two more critical vulnerabilities found during post-incident auditing:

  • CVE-2023-35036 (CVSS 9.1): second SQL injection, same vector
  • CVE-2023-35708 (CVSS 9.8): third SQL injection

These vulnerabilities illustrate that a thorough security audit often reveals additional flaws of the same type.

Detecting a Compromise

IOCs in IIS/MOVEit Logs

-- Admin accounts created recently at unusual hours
SELECT * FROM moveitisapi.dbo.users 
WHERE permission = 30 
AND createstamp > '2023-05-26'

-- Abnormal mass downloads
SELECT username, filename, filesize, accessstamp 
FROM moveitisapi.dbo.log 
WHERE action = 'Download' 
AND accessstamp > '2023-05-26'
ORDER BY filesize DESC

Suspicious Files to Search For

.aspx web shells in the MOVEit wwwroot directory
User accounts with auto-generated usernames (e.g., "Health0851")

Remediation

1. Patch Immediately

Progress Software released emergency patches. Check the official MOVEit security bulletin page.

2. Temporarily Block HTTP/HTTPS Access

If you can't patch immediately, block all internet access to port 443 on your MOVEit instance.

3. Audit Recent Access

Review access logs, identify files downloaded and accounts created during the exposure window.

4. Notify Affected Individuals

If personal data was exfiltrated, comply with GDPR/CCPA notification obligations (72 hours in Europe).

Lessons from the MOVEit Attack

  1. File transfer software is a priority target — it concentrates sensitive data and is often internet-exposed
  2. A single SQL injection is enough to steal everything — no RCE needed to exfiltrate terabytes
  3. Attack timing is strategic — holiday weekends are exploited intentionally
  4. Supply chain is a major vector — Cl0p targeted MOVEit to hit thousands of customers in a single campaign

Check if your MOVEit version is affected on cveo.tech — search for moveit to see all referenced CVEs.

Monitor CVEs with AI

AI-powered search, CVSS scoring, asset monitoring and automatic alerts.

Try AI search →Create free account

Related articles

Patch Management Guide: How to Handle CVEs Quickly and Effectively

Learn how to build a robust CVE patch management process: SLAs by severity, key steps, tools, and common mistakes to avoid to protect your infrastructure.

How to Monitor CVE Vulnerabilities Across Your IT Assets

A complete guide to tracking and managing CVEs affecting your IT infrastructure: methods, tools, and best practices for IT teams and security managers.

How to Conduct a CVE Security Audit of Your IT Infrastructure

Complete guide to conducting a CVE security audit: asset inventory, vulnerability scanning, CVSS scoring, remediation planning, and CISO best practices.