MOVEit Transfer SQLi (CVE-2023-34362)
What is MOVEit Transfer SQLi (CVE-2023-34362)?
MOVEit Transfer SQLi (CVE-2023-34362)A SQL injection vulnerability in Progress MOVEit Transfer that allowed Cl0p to steal files from thousands of organizations in 2023.
CVE-2023-34362 is a critical SQL injection vulnerability in the web interface of Progress Software's MOVEit Transfer managed file transfer product, disclosed in May 2023. Exploitation lets unauthenticated attackers execute SQL against the application database and deploy a LEMURLOOT (a.k.a. human2.aspx) webshell, granting full file and session access. The Cl0p ransomware group mass-exploited the flaw as a zero-day to exfiltrate data from more than 2,500 organizations and over 90 million individuals, including the US Department of Energy, BBC, British Airways and Shell. Mitigation requires applying Progress's MOVEit patches and removing any LEMURLOOT artifacts.
● Examples
- 01
Cl0p drops the human2.aspx webshell on a MOVEit Transfer server and exfiltrates customer files overnight.
- 02
An organization audits its MOVEit logs for anomalous LARGE file downloads and unknown service accounts after patching.
● Frequently asked questions
What is MOVEit Transfer SQLi (CVE-2023-34362)?
A SQL injection vulnerability in Progress MOVEit Transfer that allowed Cl0p to steal files from thousands of organizations in 2023. It belongs to the Vulnerabilities category of cybersecurity.
What does MOVEit Transfer SQLi (CVE-2023-34362) mean?
A SQL injection vulnerability in Progress MOVEit Transfer that allowed Cl0p to steal files from thousands of organizations in 2023.
How does MOVEit Transfer SQLi (CVE-2023-34362) work?
CVE-2023-34362 is a critical SQL injection vulnerability in the web interface of Progress Software's MOVEit Transfer managed file transfer product, disclosed in May 2023. Exploitation lets unauthenticated attackers execute SQL against the application database and deploy a LEMURLOOT (a.k.a. human2.aspx) webshell, granting full file and session access. The Cl0p ransomware group mass-exploited the flaw as a zero-day to exfiltrate data from more than 2,500 organizations and over 90 million individuals, including the US Department of Energy, BBC, British Airways and Shell. Mitigation requires applying Progress's MOVEit patches and removing any LEMURLOOT artifacts.
How do you defend against MOVEit Transfer SQLi (CVE-2023-34362)?
Defences for MOVEit Transfer SQLi (CVE-2023-34362) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for MOVEit Transfer SQLi (CVE-2023-34362)?
Common alternative names include: CVE-2023-34362, MOVEit zero-day.
● Related terms
- attacks№ 1084
SQL Injection
A code-injection attack that smuggles attacker-controlled SQL into a database query, letting the attacker read, modify, or destroy data.
- malware№ 179
Cl0p / Clop Ransomware
A ransomware and data-extortion crew tracked as TA505 / FIN11 that mass-exploited file transfer zero-days, most notably MOVEit Transfer in 2023.
- attacks№ 1116
Supply Chain Attack
An attack that compromises a trusted third-party software, hardware, or service provider in order to reach its downstream customers.
- malware№ 900
Ransomware
Malware that encrypts a victim's data or locks systems and demands payment in exchange for restoring access.