CVE-2023-34362: MOVEit Transfer — SQL Injection to RCE

Background

MOVEit Transfer is a managed file transfer (MFT) solution developed by Progress Software, widely used in enterprise, government, and financial services sectors for secure file transfers — including sensitive data such as payroll files, medical records, and financial transactions. Its deployment as a trusted business-critical file exchange platform makes it a particularly attractive target: organisations using MOVEit often trust its outputs implicitly, and the files it handles represent high-value exfiltration targets.

CVE-2023-34362 is a SQL injection vulnerability exploited as a zero-day in May 2023 by the Cl0p ransomware group in what became one of the largest supply-chain style data breach campaigns in history. The attack did not deploy ransomware — instead, Cl0p used SQL injection to deploy web shells and exfiltrate data from hundreds of organisations. Cl0p subsequently extorted victims, threatening to publish stolen data if ransoms were not paid. The vulnerability affected thousands of organisations worldwide.

Technical Mechanism

CVE-2023-34362 is a SQL injection vulnerability in MOVEit Transfer’s web application. MOVEit Transfer is an ASP.NET application backed by Microsoft SQL Server or MySQL/Azure SQL. The SQL injection exists in an endpoint that processes user-supplied data without adequate parameterisation.

The vulnerable endpoint is in MOVEit’s human.aspx or a related ASP.NET page that handles file listing or session management. User-supplied parameters (such as session tokens or file identifiers) are incorporated directly into SQL queries:

-- Vulnerable query (conceptual)
SELECT * FROM sessions WHERE SessionID = '<user_supplied_value>'

-- Attacker injection payload
-- SessionID = ' UNION SELECT 'cmd_output',1,1,1 FROM sys.objects WHERE type='X'--

-- Full injected query becomes:
SELECT * FROM sessions WHERE SessionID = ''
UNION SELECT 'cmd_output',1,1,1 FROM sys.objects WHERE type='X'--'

For the MOVEit Transfer case, the SQL injection allows attackers to:

1. Enumerate database contents: Extract user credentials, file metadata, and configuration data
2. Manipulate session state: Create or modify session records to escalate privileges
3. Execute stored procedures: In SQL Server environments, use xp_cmdshell or equivalent to execute OS commands (though this typically requires sysadmin privilege)
4. Web shell deployment: More directly, the SQL injection enabled attackers to write files to the MOVEit web directory, deploying a web shell

The LEMURLOOT web shell deployed by Cl0p was a specifically crafted ASP.NET payload (.aspx file) that:

• Verified requests via a hardcoded password header
• Executed commands in the context of the IIS application pool identity
• Provided file upload/download capabilities for data exfiltration
• Harvested credentials from MOVEit’s database tables

Real-World Exploitation Evidence

The Cl0p ransomware group (also known as TA505 or FIN11) orchestrated a coordinated zero-day exploitation campaign:

• Scale: Over 2,500 organisations were confirmed affected; estimates suggest data was stolen from at least 600+ organisations before the vulnerability was patched.
• Notable victims: US Department of Energy, Shell, British Airways, BBC, Boots, Aon, Ernst & Young, PricewaterhouseCoopers, the US state of Louisiana’s motor vehicles department, and many others.
• Data exfiltration focus: Unlike typical ransomware attacks, Cl0p focused purely on data theft rather than encryption, then operated an extortion website threatening to publish stolen data.
• Automated exploitation: Evidence suggested Cl0p had access to the vulnerability months before public disclosure and automated exploitation to maximise the attack window.
• Global impact: The campaign affected organisations across 22+ countries.

This attack is frequently cited as demonstrating the catastrophic potential of supply-chain/MFT vulnerabilities — a single exploited platform can compromise data from its entire customer base.

Impact Assessment

For organisations using MOVEit Transfer:

• Mass data exfiltration: All files stored in or transferred through MOVEit were potentially accessible and exfiltrated.
• Credential theft: MOVEit’s database contains user credentials, API keys, and configuration data that can enable further attacks.
• Downstream impact: For service providers and payroll processors using MOVEit, their customers’ data was exposed even if those customers had no direct MOVEit deployment.
• Regulatory consequences: Healthcare and financial sector victims faced potential HIPAA, PCI-DSS, and GDPR violations.
• Extortion risk: Cl0p’s data publication threats created sustained reputational and legal risk beyond the initial breach.

Affected Versions

Progress released patches on May 31, 2023. MOVEit versions are also identified by year (e.g., MOVEit 2022.1 = version 14.1).

Remediation Steps

1. Apply patches immediately: Download the emergency patch from the Progress MOVEit portal for your specific version.

2. Disable HTTP/HTTPS traffic to MOVEit Transfer until patching is complete:

   • Block external access at the firewall
   • Consider taking the service offline temporarily

3. Check for indicators of compromise before patching:

   # Look for LEMURLOOT web shell artifacts
   # Windows: Check for unexpected .aspx files in MOVEit web directories
   dir "C:\MOVEitTransfer\wwwroot\" /s *.aspx
   
   # Check IIS logs for requests to unexpected endpoints
   # Look for: human2.aspx, _human2.aspx, or other non-standard .aspx files

4. Delete LEMURLOOT artifacts if found:

   • Files named human2.aspx, _human2.aspx, or any unexpected .aspx file in the MOVEit web root
   • Associated files in temp directories

5. Review and rotate credentials: Change all MOVEit admin and service account passwords. Notify users their credentials may be compromised.

6. Examine logs for data exfiltration: Review MOVEit logs and network logs for unusual data transfers, particularly large outbound transfers to unknown IPs.

Detection Guidance

Log sources:

• MOVEit Transfer application logs (SyslogFile.log in MOVEit installation directory)
• IIS access logs: C:\inetpub\logs\LogFiles\
• Windows Event Logs for file creation and process execution events
• Network flow logs for outbound data transfers

Suspicious file patterns:

# Potential LEMURLOOT web shell files
human2.aspx
_human2.aspx
*.aspx files created in MOVEit wwwroot not matching product file list

Suricata signature:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"MOVEit Transfer CVE-2023-34362 LEMURLOOT C2"; flow:established,to_server; http.header; content:"X-siLock-Comment"; sid:9000343; rev:1;)

LEMURLOOT authentication header (IOC):

X-siLock-Comment: [password value seen in samples]
X-siLock-Step1: "Orange1225!"

Timeline