Table of Contents
- Module 1: The MOVEit Transfer Vulnerability
- What Is MOVEit Transfer and What Is the Vulnerability
- The Initial Attack Chain and CL0P Ransomware Involvement
- Vulnerability Disclosure Timeline and Multiple CVEs
- Global Impact and Confirmed Victims
- Attribution to the CL0P Ransomware Group
- Exposure Scale and Industry Targeting Patterns
- Five-Question Risk Assessment Framework
- Immediate Mitigation Actions
- Compromise Assessment and Incident Response Steps
- Supplementary Reference: Known MOVEit CVEs
- Summary
Module 1: The MOVEit Transfer Vulnerability
What Is MOVEit Transfer and What Is the Vulnerability
MOVEit Transfer is a managed file transfer (MFT) application. Organizations host it to allow controlled sharing of files, typically with external partners and other organizations outside their own network boundary. Because file sharing is a near-universal business need, MOVEit Transfer is used broadly across many industries.
The core vulnerability affecting MOVEit Transfer is SQL injection (SQLi). An unauthenticated attacker — someone with no valid credentials on the system — can send a crafted SQL request to the application. From that injection point, the attacker can pivot to arbitrary code execution, effectively gaining the ability to do anything within that system: read, modify, or exfiltrate any files hosted on the server, and execute further commands.
In short: this is a web application vulnerability (SQL injection) that is leveraged to achieve full code execution on the underlying host running the software.
The Initial Attack Chain and CL0P Ransomware Involvement
The initial wave of exploitation has been attributed to the CL0P ransomware group. The observed attack chain proceeded as follows:
- Compromise the application via SQL injection.
- Download and install a web shell to establish persistent command execution.
- From the web shell, enumerate (list) all files present on the server.
- Download/exfiltrate all of those files to attacker-controlled infrastructure.
- Create a new system administrator account within the application as an additional backdoor, ensuring continued access even if the original web shell is discovered and removed.
It has since been demonstrated that the web shell step is not strictly necessary — the SQL injection vulnerability alone can be used to execute code directly, without ever installing a web shell. This means an attacker can go straight from the injection point to arbitrary command execution (file theft, deployment of ransomware, or any other malicious action) without leaving the same forensic artifacts that the original CL0P campaign produced.
sequenceDiagram
participant Attacker
participant MOVEit as MOVEit Transfer Server
participant WebShell as Web Shell (human2.aspx)
participant Storage as Hosted Files
Attacker->>MOVEit: Unauthenticated SQL injection request
MOVEit-->>Attacker: SQL injection succeeds
Attacker->>MOVEit: Upload/deploy web shell
MOVEit-->>WebShell: web shell active in webroot
Attacker->>WebShell: Command: list all files
WebShell-->>Attacker: File listing returned
Attacker->>WebShell: Command: exfiltrate files
WebShell->>Storage: Read files
Storage-->>Attacker: Files transferred to attacker infrastructure
Attacker->>MOVEit: Create new sysadmin account (backdoor)
Note over Attacker,MOVEit: Alternative path (later discovered):<br/>SQL injection alone -> direct code execution,<br/>no web shell required
Vulnerability Disclosure Timeline and Multiple CVEs
The disclosure and exploitation of the MOVEit Transfer vulnerabilities unfolded in several distinct stages:
- May 31: The initial exploit/vulnerability was publicly announced. Active exploitation in the wild was already occurring at the time of disclosure — this was not a research-first disclosure.
- June 2: An official CVE identifier was formally assigned to the initial SQL injection vulnerability.
- ~1.5 weeks later: A second, similar CVE was issued for another SQL injection flaw in the same product.
- Over the following weeks, the pattern continued until approximately six CVEs in total were assigned, all related to SQL injection issues in MOVEit Transfer.
- July 6, 2023: Progress Software (the vendor) released a service pack that announced and resolved three additional new CVEs in a single update.
This progression illustrates a very common post-disclosure pattern: once a vulnerability in a specific application receives major news attention, security researchers and adversaries alike intensify scrutiny of that product, and additional related flaws are frequently uncovered in quick succession. Patching once, immediately after the first disclosure, does not guarantee the problem is fully resolved — organizations must continue tracking vendor advisories, because adversaries continue to develop new exploitation techniques against the same software family.
Any organization that had not applied all patches by the July 2023 service pack was very likely still vulnerable to at least one of the six-plus known SQL injection issues.
flowchart LR
A["May 31: Initial vulnerability<br/>publicly disclosed<br/>(already exploited in the wild)"] --> B["June 2: First official<br/>CVE assigned"]
B --> C["~1.5 weeks later:<br/>Second similar SQLi CVE issued"]
C --> D["Following weeks:<br/>Total of ~6 SQLi-related CVEs"]
D --> E["July 6, 2023:<br/>Progress Software service pack<br/>fixes 3 additional new CVEs"]
E --> F["Organizations not fully patched<br/>by this point remain vulnerable"]
Global Impact and Confirmed Victims
Because MOVEit Transfer is used globally by a very large number of organizations, the real-world impact turned out to be far more widespread than initial headlines suggested. Confirmed or publicly identified impacted organizations included:
- The Department of Homeland Security, which was identified as having one of the vulnerable, publicly accessible instances.
- British Airways
- The BBC
- Johns Hopkins University
- Shell
These are only the organizations that were publicly named; the true scope of impacted organizations is difficult to fully confirm.
Attribution to the CL0P Ransomware Group
There has been some confusion in the security community regarding attribution and the full list of impacted organizations. Key attribution facts:
- CL0P ransomware group has been officially attributed as responsible for the primary wave of exploitation. Both Microsoft and Google have publicly called out CL0P by name, and the tactics used align closely with CL0P’s known history.
- CL0P (or an affiliated group using the same techniques) was previously involved in exploiting the Accellion and GoAnywhere managed file transfer applications — both of which are conceptually similar to MOVEit (file transfer software), and both of which were also linked to the Fortra incidents.
- The specific web shell recovered from MOVEit compromises matches a web shell CL0P has used in prior campaigns, reinforcing the attribution.
- CL0P operates a data-leak extortion site listing victim organizations, threatening to publicly release stolen data unless paid. However, some organizations that appear on that leak site do not actually use the MOVEit Transfer application — this is likely because of overlap with CL0P’s earlier Accellion/GoAnywhere/Fortra exploitation activity, which adds ambiguity to any single “MOVEit victim count.”
mindmap
root((CL0P Ransomware<br/>Attribution))
Confirmed by
Microsoft
Google
Prior related campaigns
Accellion file transfer
GoAnywhere file transfer
Fortra incidents
Evidence
Matching web shell signature
Consistent TTPs
Business model
Data exfiltration
Public extortion leak site
Some listed victims do not use MOVEit
(overlap from prior campaigns)
Exposure Scale and Industry Targeting Patterns
At the time the initial vulnerability was disclosed, there were approximately 2,500 publicly exposed MOVEit Transfer servers on the internet. This scale exists because the application is designed to be exposed publicly — that is its normal use case (sharing files with external partners) — and any publicly accessible, unpatched instance is inherently vulnerable.
Beyond the direct 2,500+ exposed servers, organizations also face a longer-term exposure risk: services such as Shodan maintain historical datasets of internet-facing systems, meaning that even after patching, an organization that was ever identified as running MOVEit remains “on a list” that adversaries can revisit if new exploitation techniques emerge in the future.
Regarding industry targeting:
- Because file transfer needs span virtually every sector, the affected organizations are spread broadly across industries.
- CL0P has publicly stated it will not target certain sectors — specifically calling out military, government, law enforcement, and healthcare facilities (with particular emphasis on facilities that support children).
- However, this stated policy does not prevent other threat actors from reusing the same publicly available proof-of-concept exploit code to target exactly those sectors that CL0P claims to avoid.
- Around mid-June 2023, there was public discussion involving the Department of Energy regarding possible Russian state-linked activity targeting a MOVEit instance the department was hosting — illustrating that attribution to a single group (CL0P) does not mean all exploitation activity originates from that group. A more advanced or state-linked actor could be behind some incidents, while CL0P is simply the group publicly claiming credit and pursuing monetization.
The overarching lesson: an organization cannot assume it is “safe” from this vulnerability merely because CL0P has said it avoids certain sectors, or because a compromise “looks like” CL0P activity. Any unauthenticated, unpatched, internet-facing MOVEit instance is a viable target for any threat actor with access to the exploit.
flowchart TD
A["~2,500 publicly exposed<br/>MOVEit Transfer servers"] --> B{"CL0P's stated<br/>target exclusions"}
B -->|Avoids| C["Military"]
B -->|Avoids| D["Government"]
B -->|Avoids| E["Law enforcement"]
B -->|Avoids| F["Healthcare<br/>(esp. pediatric)"]
B --> G["Other threat actors can<br/>reuse the same public PoC<br/>against ANY sector,<br/>including those CL0P avoids"]
G --> H["Example: mid-June 2023<br/>Dept. of Energy - possible<br/>Russian-linked activity"]
Five-Question Risk Assessment Framework
To help any organization triage its own exposure and response priority for this vulnerability class, a simple five-question risk assessment framework can be applied:
-
What is the CVSS score? The MOVEit SQL injection vulnerability carries a CVSS score of 9.8. The follow-on CVEs assigned afterward also carry ratings of 9 or higher, confirming they are all critical. The severity stems largely from the fact that exploitation requires no prior authentication and results in full system access.
-
Is this application generally internet-facing? Yes. While MOVEit Transfer can technically be hosted purely internally, its typical and intended use case is external file sharing through a web portal — so most deployments are internet-facing by design.
-
Is there an active proof-of-concept (PoC) exploit available? Yes — this vulnerability was discovered because it was already being actively exploited in the wild, meaning a working exploitation method was in use by threat actors before or at the time of public disclosure (unlike many vulnerabilities that are first found by researchers or vendors before any real-world exploitation is observed).
-
Can this be exploited in your specific environment? Exploitability sometimes depends on how an organization has configured the software — a vulnerability might exist in code but not be reachable in a given configuration. In this case, however, exploitation only requires standard web access to the application. As long as the web portal is reachable, the environment is exploitable.
-
How should this be prioritized? Priority depends heavily on what data is stored in or passed through the specific deployment. If the instance handles customer information or critical intellectual property, it must be treated as an urgent, all-hands priority. If it is used only to share low-sensitivity files between a small number of parties, the response can be scaled down somewhat — though patching remains necessary regardless.
flowchart TD
Q1["1. What is the CVSS score?<br/>9.8 (critical, unauthenticated)"] --> Q2["2. Is the app<br/>internet-facing?<br/>Typically yes"]
Q2 --> Q3["3. Is there an active PoC?<br/>Yes - exploited in the wild<br/>before/at disclosure"]
Q3 --> Q4["4. Can it be exploited<br/>in your environment?<br/>Yes, if web portal is reachable"]
Q4 --> Q5["5. What priority level?<br/>Depends on data sensitivity<br/>hosted on the instance"]
Q5 --> R["Overall risk rating and<br/>response urgency"]
Immediate Mitigation Actions
The window between the first public announcement and a formal CVE being assigned (and a patch becoming available) was only a matter of days. Recommended immediate actions:
- Patch immediately. This is the primary, non-negotiable remediation step.
- Disable web access (both HTTP and HTTPS) to the MOVEit Transfer application until a patch can be applied. This does not fully cut off access to hosted data:
- Administrators can still log in remotely to manage the system directly.
- Users can still transfer files via SFTP and FTP.
- What is disabled is specifically the web portal exposure — the vector actually being exploited.
This mitigation assumes the instance has not already been compromised. If the instance has been internet-facing and unpatched over an extended period (on the order of a month or more, in this case), the next step is to assume possible compromise and move into incident response.
Compromise Assessment and Incident Response Steps
If there is reason to believe an instance may already be compromised (or to proactively verify it has not been), the following incident response steps apply:
- Look for the known web shell. In the CL0P campaign, the web shell file was named
human2.aspx, and it would be found inside the web root directory (wwwroot) of the MOVEit Transfer application. This is a relatively easy first artifact to check for. - Look for new/unexpected files in general, not just the specific named web shell — other threat actors reusing the underlying SQL injection vulnerability (rather than the exact CL0P playbook) may not use the same web shell file name or technique at all.
- Look for newly created administrative or user accounts. As noted in the original attack chain, CL0P created an additional system administrator account as a backdoor. Any unexpected new admin/user accounts should be treated as a compromise indicator.
- Reset all service account credentials, at minimum, even after patching — to ensure that any credentials that may have been harvested or reused by an attacker are invalidated, and to close off any backdoor access that might otherwise persist unnoticed after the vulnerability itself is patched.
- Monitor outbound network traffic from the server. This is a particularly important and durable detection technique, especially as more infrastructure shifts to the cloud. It is normal for an external client to initiate an inbound request to the MOVEit web server (to log in and transfer files). It is not normal for the MOVEit server itself to initiate outbound connections — such outbound requests would be required for the server to pull down a web shell or establish a reverse shell, and are a strong indicator of compromise.
- Use available detection signatures where applicable, such as published YARA rules for the known web shell — but treat these as only one detection layer, since they will only catch the specific web shell variant they were written for, and different threat actors may use entirely different post-exploitation tooling.
- Review SQL/database logs and other application logs for anomalous or potentially malicious query activity, since the initial compromise vector is SQL injection itself.
flowchart TD
A["Instance was internet-facing<br/>and unpatched for an extended period"] --> B["Assume possible compromise -<br/>begin IR checks"]
B --> C["Check web root for<br/>human2.aspx web shell"]
B --> D["Search for any new/<br/>unexpected files"]
B --> E["Search for new admin/<br/>user accounts"]
B --> F["Reset ALL service<br/>account credentials"]
B --> G["Monitor for anomalous<br/>OUTBOUND traffic from server"]
B --> H["Check YARA rule matches<br/>(known web shell only)"]
B --> I["Review SQL/DB logs for<br/>anomalous query activity"]
C --> J{"Any indicator found?"}
D --> J
E --> J
F --> J
G --> J
H --> J
I --> J
J -->|Yes| K["Escalate to full<br/>incident response"]
J -->|No confirmed indicators| L["Continue patching,<br/>monitoring, credential rotation"]
Supplementary Reference: Known MOVEit CVEs
The narration describes the vulnerability class, disclosure timeline, and CVSS severity in detail without enumerating every individual CVE identifier by number. For reference, the well-documented public CVE cluster associated with the 2023 MOVEit Transfer SQL injection campaign described above includes the following (presented here as supplementary factual context to the technical narrative above):
| CVE | Disclosed | Type | Notes |
|---|---|---|---|
| CVE-2023-34362 | May 31, 2023 | SQL injection → RCE | The initial, actively-exploited vulnerability; the one attributed to CL0P’s mass-exploitation campaign |
| Additional June 2023 CVEs | Early–mid June 2023 | SQL injection | Follow-on flaws identified shortly after the initial disclosure gained public attention |
| Additional July 2023 CVEs | July 6, 2023 | SQL injection | Resolved together in Progress Software’s service pack release |
| Aspect | Detail |
|---|---|
| Vulnerability class | SQL injection leading to arbitrary/remote code execution |
| Authentication required | None (unauthenticated, remotely exploitable) |
| CVSS v3.1 base score | 9.8 (Critical) |
| Primary threat actor | CL0P ransomware group |
| Prior related campaigns by same actor | Accellion, GoAnywhere/Fortra |
| Known persistence artifact | human2.aspx web shell in MOVEit web root |
| Approx. exposed instances at disclosure | ~2,500 publicly accessible servers |
Summary
The MOVEit Transfer vulnerabilities represent a textbook case of a critical, unauthenticated SQL injection flaw in a widely deployed, internet-facing managed file transfer application being rapidly weaponized for mass exploitation. A single SQL injection point allowed attackers to bypass authentication entirely and achieve arbitrary code execution, which the CL0P ransomware group used to deploy a web shell, exfiltrate hosted files at scale, and plant backdoor administrator accounts — later shown to be achievable through the SQL injection alone, without any web shell at all. Once the initial flaw made headlines, the vendor and researchers uncovered roughly six related SQL injection CVEs within about six weeks, each rated 9 or higher on the CVSS scale, culminating in a July 2023 service pack that resolved three further issues. Confirmed impacted organizations spanned government agencies, airlines, media organizations, universities, and energy companies, and roughly 2,500 servers were publicly exposed at the time of disclosure — with attribution complicated by CL0P’s broader history of file-transfer-application exploitation (Accellion, GoAnywhere/Fortra) and its public but unenforceable claim to avoid certain sectors.
Key Takeaways
- SQL injection remains a devastating vulnerability class when it grants unauthenticated, full code execution on internet-facing infrastructure.
- A vendor’s first patch after a major disclosure is rarely the last word — expect follow-on CVEs as scrutiny intensifies.
- Threat actor “policies” about which sectors they will or will not target provide no real protection, since exploit code and techniques are reused by other actors.
- Detection cannot rely solely on a single known artifact (e.g., one web shell filename) — outbound traffic anomalies and database log review are more durable detection strategies.
- Historical exposure (e.g., in Shodan datasets) keeps an organization “on the radar” of attackers even after patching.
Mitigation Checklist
- Apply all vendor-released patches/service packs immediately, and continue tracking new CVEs for the same product going forward.
- If unpatched, disable web (HTTP/HTTPS) access to the application immediately; retain SFTP/FTP and direct admin access as needed.
- Search the web root directory for unexpected files, including but not limited to known web shell names such as
human2.aspx. - Audit for newly created administrator or service accounts.
- Reset all service account credentials associated with the application, even after patching.
- Establish outbound traffic monitoring/alerting for the server — any server-initiated outbound connection is suspicious for this application profile.
- Apply available YARA/IOC signatures as one detection layer, not the sole detection mechanism.
- Review SQL/database and application logs for anomalous or injection-pattern query activity.
- Reassess risk using the five-question framework (CVSS, internet exposure, active PoC, environment exploitability, data sensitivity) for any future MOVEit or similar MFT advisory.
- Do not assume safety based on a threat actor’s stated targeting exclusions — patch and monitor regardless of industry.
Search Terms
moveit · vulnerability · know · briefings · networking · systems · security · assessment · cl0p · cves · mitigation · ransomware · transfer