CVE REFERENCE | CRITICAL VULNERABILITY
Active ThreatUpdated 11 min read

CVE-2023-34362: MOVEit Transfer SQL Injection, CLOP's Mass Data Extortion Campaign

A CVSS 9.8 SQL injection zero-day in Progress MOVEit Transfer exploited by CLOP ransomware to steal data from 1,000+ organizations simultaneously, including US federal agencies, airlines, and payroll processors. 60+ million records exposed.

9.8
CVSS Score
1,000+
Organizations Breached
60M+
Records Stolen
Zero-Day
Disclosure Status

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

CVE-2023-34362 is a SQL injection vulnerability in Progress MOVEit Transfer, a widely deployed managed file transfer platform used by enterprises and government agencies to securely transfer their most sensitive files. Exploited as a zero-day by the CLOP ransomware group (FIN11/UNC2546) beginning May 27, 2023, it became the foundation of the largest coordinated data extortion campaign in history: over 1,000 organizations breached simultaneously, with an estimated 60 million individuals' personal data stolen in weeks.

The attack was pure data extortion. CLOP installed web shells on compromised MOVEit servers, systematically downloaded the most sensitive transferred files, then contacted victim organizations threatening to publish the stolen data on their leak site unless ransoms were paid. No encryption occurred, making backup-based recovery completely irrelevant. The nature of MOVEit meant the stolen files were by definition the most sensitive documents organizations had transferred: healthcare records, government documents, financial data, and personal information.

How CVE-2023-34362 Works: SQL Injection to Web Shell Deployment

MOVEit Transfer's web application processes HTTP requests through endpoints that pass user-supplied input into SQL queries without adequate sanitization. An unauthenticated attacker sends crafted HTTP POST requests to MOVEit's HTTPS interface with SQL injection payloads that alter the intended query structure. The injected SQL accomplishes two objectives: authentication bypass (manipulating query logic to return records granting access) and privilege escalation to OS command execution through the database server's built-in file and command execution capabilities.

With code execution achieved, CLOP deployed a web shell named human2.aspx, a deliberate misspelling of a legitimate MOVEit file, to MOVEit's web root. This provided persistent access for ongoing file enumeration and download even after initial exploitation. CLOP used this access to systematically identify and exfiltrate the highest-value files stored or recently transferred through each compromised instance.

1

Identify MOVEit Transfer instances

Enumerate internet-facing MOVEit Transfer web portals. MOVEit's login interface is distinctive. CLOP used targeted lists of known enterprise MOVEit customers alongside automated scanning.

2

Inject SQL via unauthenticated endpoint

Send crafted HTTP POST requests to MOVEit's web interface with SQL injection payloads that manipulate authentication queries, bypassing the login requirement and gaining application-level access.

3

Escalate to OS command execution

Use database server file write and command execution capabilities to write files to the MOVEit web directory and execute OS commands as the MOVEit service account.

4

Deploy human2.aspx web shell

Write the CLOP-developed ASPX web shell to the MOVEit web root, providing persistent HTTP-accessible command execution and file access that survives application restarts.

5

Enumerate and exfiltrate files

Use the web shell to browse MOVEit's file storage and download high-value transferred files, healthcare records, financial documents, government data, PII, to attacker-controlled infrastructure.

6

Extort victims

Contact breached organizations via email threatening to publish stolen files on CLOP's leak site unless ransoms are paid. No encryption occurs, the leverage is the stolen data itself.

The CLOP Campaign: Supply Chain Breach at Scale

CLOP's MOVEit campaign was architecturally distinct from typical ransomware: rather than attacking individual organizations one by one, they targeted the platform used by hundreds of organizations to transfer their most sensitive files. A single vulnerability in MOVEit granted simultaneous access to the sensitive data of every organization running a vulnerable instance. The Memorial Day timing minimized immediate detection by security teams. The victim list reads like a cross-sector breach of extraordinary breadth: US Department of Energy, Shell, British Airways, the BBC, Boots, Aer Lingus, Maximus (11 million Medicaid/Medicare records), the Oregon DMV (3.5 million vehicle registration records), Louisiana OMV, University of California, Stanford University, and hundreds of others.

The companion vulnerabilities CVE-2023-35036 and CVE-2023-35708 were disclosed in June 2023, representing additional SQL injection flaws in the same product. Organizations that patched only CVE-2023-34362 remained exploitable until these separate patches were also applied.

CLOP actors exploit CVE-2023-34362 to install a webshell on affected MOVEit Transfer servers. Threat actors use the webshell to list and exfiltrate data stored on the MOVEit Transfer server.

CISA Advisory AA23-158A, June 2023
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Patching and Responding to CVE-2023-34362

Progress released patches June 1–6, 2023 depending on version. If you are still running unpatched MOVEit Transfer, treat the server as compromised and take it offline during remediation.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

CVE-2023-34362 and the CLOP MOVEit campaign represent the maturation of supply chain targeting as a ransomware strategy. Rather than attacking individual organizations, CLOP exploited the platform used to move the most sensitive data, gaining simultaneous access to hundreds of organizations' crown jewels through a single vulnerability.

Data extortion without encryption is now a primary tactic for exactly this reason: it is immune to backup-based recovery, it creates regulatory and reputational pressure regardless of whether victims pay, and it requires no operational complexity beyond file collection. The only effective defense is preventing exfiltration, which means patching managed file transfer platforms immediately, monitoring for anomalous outbound data transfers, and treating these platforms as critical-risk infrastructure requiring the same rigor as production databases.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is CVE-2023-34362?

CVE-2023-34362 is a CVSS 9.8 SQL injection zero-day in Progress MOVEit Transfer. An unauthenticated attacker injects SQL into MOVEit's web interface, bypassing authentication and executing OS commands through database escalation mechanisms. CLOP ransomware exploited it before patches existed to breach 1,000+ organizations.

How serious is CVE-2023-34362?

The most impactful data breach campaign of 2023. Over 60 million individuals' records were stolen from 1,000+ organizations. Victims include US federal agencies, British Airways, the BBC, Maximus (11 million records), Oregon DMV (3.5 million records), and hundreds of others. CVSS 9.8, no authentication required.

Was CVE-2023-34362 exploited before the patch?

Yes. CLOP began exploiting MOVEit Transfer around May 27, 2023, Memorial Day weekend in the US. Progress published an advisory and patch June 1–2, 2023, but by then CLOP had already breached hundreds of organizations and installed persistent web shells for ongoing data collection.

Are there related MOVEit CVEs?

Yes. CVE-2023-35036 and CVE-2023-35708 are additional SQL injection vulnerabilities in the same product disclosed in June 2023. Organizations that only patched CVE-2023-34362 remained vulnerable to these companion flaws until separate patches were applied.

Why couldn't affected organizations recover with backups?

CLOP used pure data extortion, they stole files and threatened to publish them but did not encrypt production systems. Backup restoration is irrelevant when the threat is publication of already-stolen data. Only prevention of exfiltration is an effective defense.

How do I patch CVE-2023-34362?

Apply the June 2023 patches for your MOVEit version branch: 2023.0.1, 2022.1.5, 2022.0.4, 2021.1.4, 2021.0.6, 2020.1.10, or 2020.0.8 and later. Also apply separate patches for CVE-2023-35036 and CVE-2023-35708.

Sources & references

  1. NVD
  2. CISA Advisory AA23-158A
  3. Progress Software Advisory

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.