MOVEit — single SQL injection → hundreds of downstream breaches
CVE-2023-34362: A SQL injection in MOVEit Transfer, a widely-deployed file-transfer product, was exploited by Cl0p ransomware to compromise hundreds of organizations — exfiltrating data from government, finance, and healthcare sectors.
What happened
Progress Software's MOVEit Transfer had a zero-day SQL injection in its web-facing interface. The Cl0p group exploited it at scale starting May 27, 2023, hitting organizations including the US Department of Energy, Shell, British Airways, the BBC, and hundreds of others.
Timeline
Cl0p begins mass exploitation of the zero-day.
Progress Software releases patch + advisory.
Affected organizations continue disclosing.
Root cause
A classic SQL injection in a product intended to handle sensitive file transfers. The bug existed for years. Once exploited by a capable threat actor, the blast radius was all MOVEit customers.
Impact
- ~2,600 organizations confirmed affected
- ~90 million individuals had data exposed
- Billions in downstream fraud + remediation cost
For MOVEit itself: a classic SAST would have found the injection, but MOVEit pre-dates modern SAST workflows. For MOVEit customers downstream: once CVE-2023-34362 was disclosed, Securie's real-time CVE-to-block pipeline would have blocked the vulnerable version within 15 minutes.
Lessons
- Legacy products handling sensitive data need periodic security audits
- SQL injection is still a zero-day cause in 2023+
- Supply-chain impact of shared products is cumulative — one MOVEit bug = hundreds of breaches