Breachwire.riscent

Breach report

MOVEit Transfer: one SQL injection, thousands of organizations breached

Web Application BreachesCritical (CVSS 9.8)CVE-2023-343622023-05
The bottom lineThe Cl0p ransomware group exploited an unauthenticated SQL injection in Progress MOVEit Transfer to deploy a web shell and exfiltrate data from thousands of organizations worldwide.
Category
Web Application Breaches
Type
CVE · Named mass-exploitation (Cl0p)
Date
2023-05
Severity
Critical (CVSS 9.8)
OWASP
Web A05 Injection
CWE / CVE
CWE-89 CVE-2023-34362

What happened

MOVEit Transfer is a managed file-transfer product used by enterprises and governments to move sensitive data. In May 2023, the Cl0p ransomware group exploited CVE-2023-34362, an unauthenticated SQL-injection vulnerability with a CVSS score of 9.8, to install a web shell (tracked as LEMURLOOT) and exfiltrate data at scale. CISA and partners documented the campaign in advisory AA23-158A; public estimates placed the number of affected organizations in the thousands worldwide, spanning private companies and public agencies.

Because MOVEit sits at the point where organizations exchange their most sensitive files, a single flaw in it produced an enormous blast radius across everyone who relied on it.

Root cause

The application constructed a database query using attacker-controllable input without proper parameterization, allowing SQL injection — CWE-89, and a textbook example of OWASP's Injection category. From there the attackers escalated to writing a web shell and reading data directly.

How it would have been caught

Static analysis (Semgrep, CodeQL) flags query construction that concatenates untrusted input, and dynamic testing (OWASP ZAP, Burp Suite) exercises injection payloads against the running application. The reproduction fires a crafted request at the vulnerable endpoint and confirms it returns or manipulates data it should not.

How to prevent it

  • Use parameterized queries or prepared statements everywhere; never build SQL by string concatenation with user input.
  • Apply least-privilege database accounts so an injection cannot escalate to full data access or file writes.
  • Patch internet-facing edge software promptly — mass-exploited CVEs are weaponized within days of disclosure.

The Breachwire test (red → green)

Fire the injection payload at the endpoint and confirm it succeeds (leaks or alters data) — the RED control. Convert the query to a parameterized statement, then confirm the same payload is treated as literal data and fails, while legitimate queries continue to work.