NAVANEM
CVE-2023-34362⚡ exploited in the wild

MOVEit Transfer, pre-auth SQL injection (Cl0p mass exploitation)

Improper neutralization of special elements used in an SQL command in Progress MOVEit Transfer (web application) allows unauthenticated attackers to access the MOVEit Transfer database and inject malicious payloads, leading to remote code execution and data exfiltration. The flaw resided in the HTTP/HTTPS endpoint.

Overview

CVE-2023-34362 is a critical pre-authentication SQL injection vulnerability in Progress MOVEit Transfer, a widely-used managed file transfer (MFT) solution deployed across enterprises, government agencies, and healthcare organizations. The vulnerability was mass-exploited by the Cl0p ransomware group in May-June 2023 as a zero-day attack, resulting in one of the largest data breach campaigns in history. Over 2,700 organizations were compromised, exposing personal data of more than 95 million individuals.

Technical Details

The vulnerability exists due to improper neutralization of special elements used in SQL commands within MOVEit Transfer's web application. The flaw resides in the HTTP/HTTPS endpoint, allowing unauthenticated remote attackers to:

  1. Bypass authentication entirely without valid credentials
  2. Inject malicious SQL queries to enumerate database tables and exfiltrate stored files
  3. Achieve remote code execution by leveraging database access to deploy payloads
  4. Deploy a persistent webshell (human2.aspx) - a custom ASP.NET backdoor placed in C:\MOVEitTransfer\wwwroot\ for ongoing access and large-scale data extraction

The Cl0p group had weaponized this vulnerability weeks before public disclosure, enabling them to compromise thousands of organizations within 72 hours of the CVE becoming public.

Impact

The exploitation campaign represents a textbook case of mass MFT exploitation:

  • 2,700+ confirmed victim organizations including BBC, Shell, Aon, US Department of Energy, HHS, Louisiana DMV, Oregon DMV, EY, PwC, and numerous pension funds
  • 95+ million individuals had personal data exposed, including Social Security numbers and driver's licenses
  • Cl0p pivoted from traditional ransomware encryption to pure data exfiltration and extortion
  • MSPs were particularly affected, with attackers often maintaining 14-day footholds before discovery

Mitigation

  1. Patch immediately to minimum versions: 2023.0.1, 2022.1.5, 2022.0.4, 2021.1.4, or 2021.0.6
  2. Apply subsequent patches addressing related CVEs (CVE-2023-35036, CVE-2023-35708)
  3. Treat MFT products with the same patching urgency as edge firewalls
  4. Restrict internet exposure of MOVEit Transfer instances where possible

Detection

  1. Hunt for webshell: Search for human2.aspx in the MOVEit wwwroot directory
  2. Audit database: Look for unexpected accounts named like "Health Check Service" or unusual scheduled jobs
  3. Review outbound transfers: Examine the 72 hours preceding patch application for significant data volumes to unknown destinations
  4. Monitor IIS logs: Check for anomalous requests to the MOVEit web endpoints