CVE-2023-34362: MOVEit Transfer SQL Injection — CLOP's Mass Data Extortion Campaign
A CVSS 9.8 SQL injection zero-day in Progress MOVEit Transfer exploited by CLOP ransomware to steal data from 1,000+ organizations simultaneously, including US federal agencies, airlines, and payroll processors. 60+ million records exposed.
CVE-2023-34362 is a SQL injection vulnerability in Progress MOVEit Transfer — a widely deployed managed file transfer platform used by enterprises and government agencies to securely transfer their most sensitive files. Exploited as a zero-day by the CLOP ransomware group (FIN11/UNC2546) beginning May 27, 2023, it became the foundation of the largest coordinated data extortion campaign in history: over 1,000 organizations breached simultaneously, with an estimated 60 million individuals' personal data stolen in weeks.
The attack was pure data extortion. CLOP installed web shells on compromised MOVEit servers, systematically downloaded the most sensitive transferred files, then contacted victim organizations threatening to publish the stolen data on their leak site unless ransoms were paid. No encryption occurred — making backup-based recovery completely irrelevant. The nature of MOVEit meant the stolen files were by definition the most sensitive documents organizations had transferred: healthcare records, government documents, financial data, and personal information.
How CVE-2023-34362 Works: SQL Injection to Web Shell Deployment
MOVEit Transfer's web application processes HTTP requests through endpoints that pass user-supplied input into SQL queries without adequate sanitization. An unauthenticated attacker sends crafted HTTP POST requests to MOVEit's HTTPS interface with SQL injection payloads that alter the intended query structure. The injected SQL accomplishes two objectives: authentication bypass (manipulating query logic to return records granting access) and privilege escalation to OS command execution through the database server's built-in file and command execution capabilities.
With code execution achieved, CLOP deployed a web shell named human2.aspx — a deliberate misspelling of a legitimate MOVEit file — to MOVEit's web root. This provided persistent access for ongoing file enumeration and download even after initial exploitation. CLOP used this access to systematically identify and exfiltrate the highest-value files stored or recently transferred through each compromised instance.
Identify MOVEit Transfer instances
Enumerate internet-facing MOVEit Transfer web portals. MOVEit's login interface is distinctive. CLOP used targeted lists of known enterprise MOVEit customers alongside automated scanning.
Inject SQL via unauthenticated endpoint
Send crafted HTTP POST requests to MOVEit's web interface with SQL injection payloads that manipulate authentication queries, bypassing the login requirement and gaining application-level access.
Escalate to OS command execution
Use database server file write and command execution capabilities to write files to the MOVEit web directory and execute OS commands as the MOVEit service account.
Deploy human2.aspx web shell
Write the CLOP-developed ASPX web shell to the MOVEit web root, providing persistent HTTP-accessible command execution and file access that survives application restarts.
Enumerate and exfiltrate files
Use the web shell to browse MOVEit's file storage and download high-value transferred files — healthcare records, financial documents, government data, PII — to attacker-controlled infrastructure.
Extort victims
Contact breached organizations via email threatening to publish stolen files on CLOP's leak site unless ransoms are paid. No encryption occurs — the leverage is the stolen data itself.
The CLOP Campaign: Supply Chain Breach at Scale
CLOP's MOVEit campaign was architecturally distinct from typical ransomware: rather than attacking individual organizations one by one, they targeted the platform used by hundreds of organizations to transfer their most sensitive files. A single vulnerability in MOVEit granted simultaneous access to the sensitive data of every organization running a vulnerable instance. The Memorial Day timing minimized immediate detection by security teams. The victim list reads like a cross-sector breach of extraordinary breadth: US Department of Energy, Shell, British Airways, the BBC, Boots, Aer Lingus, Maximus (11 million Medicaid/Medicare records), the Oregon DMV (3.5 million vehicle registration records), Louisiana OMV, University of California, Stanford University, and hundreds of others.
The companion vulnerabilities CVE-2023-35036 and CVE-2023-35708 were disclosed in June 2023, representing additional SQL injection flaws in the same product. Organizations that patched only CVE-2023-34362 remained exploitable until these separate patches were also applied.
“CLOP actors exploit CVE-2023-34362 to install a webshell on affected MOVEit Transfer servers. Threat actors use the webshell to list and exfiltrate data stored on the MOVEit Transfer server.”
— CISA Advisory AA23-158A, June 2023
Patching and Responding to CVE-2023-34362
Progress released patches June 1–6, 2023 depending on version. If you are still running unpatched MOVEit Transfer, treat the server as compromised and take it offline during remediation.
Apply patches for CVE-2023-34362 and companion CVEs
Patch to: 2023.0.1, 2022.1.5, 2022.0.4, 2021.1.4, 2021.0.6, 2020.1.10, or 2020.0.8+ depending on your version. Then separately apply patches for CVE-2023-35036 and CVE-2023-35708. All three require their own updates.
Search for and remove web shells immediately
Check the MOVEit Transfer web directory (C:\MOVEitTransfer\wwwroot\ on Windows) for unauthorized ASPX files. Look specifically for human2.aspx and any other .aspx files not present in the original installation. Remove all unauthorized files and reboot the MOVEit service.
Reset all MOVEit service account credentials and API tokens
Assume all service account passwords, API keys, and integration credentials stored in MOVEit Transfer were accessible to the attacker. Rotate all of these immediately after patching.
Audit all file transfer activity during the exposure window
Review MOVEit Transfer audit logs to identify every file accessed or downloaded during the exploitation window. Document all potentially exfiltrated files — this is required for breach notification assessment under GDPR, HIPAA, and state data breach laws.
Engage legal counsel for breach notification
Given the sensitivity of data typically transferred via MOVEit, proactively assess notification obligations under applicable laws regardless of whether exfiltration is confirmed. CLOP's targeting was opportunistic — many organizations only learned of their breach when CLOP contacted them with proof of stolen data.
The bottom line
CVE-2023-34362 and the CLOP MOVEit campaign represent the maturation of supply chain targeting as a ransomware strategy. Rather than attacking individual organizations, CLOP exploited the platform used to move the most sensitive data — gaining simultaneous access to hundreds of organizations' crown jewels through a single vulnerability.
Data extortion without encryption is now a primary tactic for exactly this reason: it is immune to backup-based recovery, it creates regulatory and reputational pressure regardless of whether victims pay, and it requires no operational complexity beyond file collection. The only effective defense is preventing exfiltration — which means patching managed file transfer platforms immediately, monitoring for anomalous outbound data transfers, and treating these platforms as critical-risk infrastructure requiring the same rigor as production databases.
Frequently asked questions
What is CVE-2023-34362?
CVE-2023-34362 is a CVSS 9.8 SQL injection zero-day in Progress MOVEit Transfer. An unauthenticated attacker injects SQL into MOVEit's web interface, bypassing authentication and executing OS commands through database escalation mechanisms. CLOP ransomware exploited it before patches existed to breach 1,000+ organizations.
How serious is CVE-2023-34362?
The most impactful data breach campaign of 2023. Over 60 million individuals' records were stolen from 1,000+ organizations. Victims include US federal agencies, British Airways, the BBC, Maximus (11 million records), Oregon DMV (3.5 million records), and hundreds of others. CVSS 9.8, no authentication required.
Was CVE-2023-34362 exploited before the patch?
Yes. CLOP began exploiting MOVEit Transfer around May 27, 2023 — Memorial Day weekend in the US. Progress published an advisory and patch June 1–2, 2023, but by then CLOP had already breached hundreds of organizations and installed persistent web shells for ongoing data collection.
Are there related MOVEit CVEs?
Yes. CVE-2023-35036 and CVE-2023-35708 are additional SQL injection vulnerabilities in the same product disclosed in June 2023. Organizations that only patched CVE-2023-34362 remained vulnerable to these companion flaws until separate patches were applied.
Why couldn't affected organizations recover with backups?
CLOP used pure data extortion — they stole files and threatened to publish them but did not encrypt production systems. Backup restoration is irrelevant when the threat is publication of already-stolen data. Only prevention of exfiltration is an effective defense.
How do I patch CVE-2023-34362?
Apply the June 2023 patches for your MOVEit version branch: 2023.0.1, 2022.1.5, 2022.0.4, 2021.1.4, 2021.0.6, 2020.1.10, or 2020.0.8 and later. Also apply separate patches for CVE-2023-35036 and CVE-2023-35708.
Sources & references
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.