MOVEit 2023: How Cl0p Exploited a Zero-Day to Hit 2,500+ Companies
Context
MOVEit Transfer is a managed file transfer (MFT) software used by thousands of businesses and government agencies to exchange sensitive data. In May 2023, the Cl0p ransomware group exploited a zero-day vulnerability in MOVEit to launch a massive data extraction campaign.
The Vulnerability: CVE-2023-34362
The flaw is a SQL injection in MOVEit Transfer's web application. The vulnerable endpoint allowed an unauthenticated attacker to execute arbitrary SQL queries on the server's database.
The exploitation chain:
human2.aspx) on the serverAttack Timeline
May 27, 2023: first exploitations are detected. Cl0p had likely started exploiting the flaw before this date.
May 31, 2023: Progress Software (MOVEit's publisher) releases a patch and security advisory.
June 2, 2023: Microsoft attributes the exploitation to the Cl0p group (also known as Lace Tempest).
June 7, 2023: Cl0p claims the attack on its leak site and begins publishing victim names.
June through December 2023: the victim list keeps growing. More than 2,500 organizations are affected, impacting over 80 million individuals.
Notable Victims
The attack hit organizations across all sectors: the U.S. Department of Energy, Shell, British Airways, the BBC, the Nova Scotia government, universities, law firms, and insurers. In France, several companies using MOVEit for data transfers were affected.
Why the Impact Was So Massive
1. MOVEit is ubiquitous: thousands of organizations use it to exchange sensitive files (payroll, medical data, legal documents).
2. MOVEit servers are internet-facing: that is their function. A managed file transfer requires external network access.
3. Cl0p automated the exploitation: the group scanned the internet to identify all vulnerable MOVEit servers and launched mass exploitation before the patch was available.
4. Data was already on the server: MOVEit stores transferred files. The attacker did not need to pivot to other systems.
Lessons
File transfer software is a priority target. It contains sensitive data and is exposed to the internet. It must be audited and updated first.
SQL injection in 2023 is unacceptable. CVE-2023-34362 is a classic SQL injection. Parameterized queries would have prevented exploitation.
Rapid patching is vital. Organizations that applied the fix within 48 hours limited impact. Those that waited were compromised.
Webshell detection must be active. The human2.aspx webshell was detectable by analyzing files on the server.
This incident illustrates why regular security auditing of your internet-facing services is essential. CleanIssue identifies these attack surfaces before attackers do.
Related articles
Three adjacent analyses to keep exploring the same attack surface.
Okta 2022 and 2023: When the Identity Provider Gets Hacked
Two major Okta compromises in two years. Analysis of vectors, impact on customers, and lessons for identity provider security.
SolarWinds 2020: The Supply Chain Attack That Changed Everything
Complete analysis of the SolarWinds Orion attack by Russian group Nobelium: method, impact on 18,000 organizations, and security lessons.
France Travail 2024: 43M French Citizens Leaked, What Really Happened
Technical breakdown of the France Travail data breach in 2024: how 43 million records were exposed, timeline, and lessons learned.
Sources
Editorial analysis based on official vendor, project, and regulator documentation.
Related services
If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.