If you’re running Progress Software’s MOVEit Transfer in your environment, stop reading this and go patch immediately. CVE-2023-34362 is a critical SQL injection vulnerability in MOVEit Transfer’s web application that allows unauthenticated attackers to gain access to the database — and it’s been actively exploited in the wild since at least late May. This is shaping up to be one of the most significant supply chain security incidents of the year.
What We Know So Far#
MOVEit Transfer is a managed file transfer (MFT) solution used by thousands of organizations to move sensitive data between partners, clients, and internal systems. Think payroll data, healthcare records, financial documents — exactly the kind of data that makes attackers salivate.
The vulnerability is a SQL injection flaw in the web application component. An unauthenticated attacker can send a crafted request to the MOVEit Transfer web application that results in unauthorized access to the MOVEit database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker can infer information about the structure and contents of the database and execute SQL statements that alter or delete database elements.
Progress Software released a patch on May 31, along with a detailed advisory. They recommend immediate patching and provide indicators of compromise (IOCs) for organizations to check whether they’ve already been compromised. The key IOC to look for is a webshell file named human2.aspx in the wwwroot folder of the MOVEit installation.
Security researchers at Mandiant and Rapid7 have confirmed mass exploitation is underway. The attacks appear to have started as early as May 27, meaning there was a window of at least four days where organizations were being actively compromised before a patch was available.
The MFT Attack Surface Problem#
This isn’t the first time managed file transfer solutions have been targeted in high-profile attacks. In January, the Clop ransomware group exploited a zero-day in Fortra’s GoAnywhere MFT, compromising over 130 organizations. Before that, Accellion’s legacy FTA product was exploited in 2020-2021, affecting dozens of organizations including Shell, Kroger, and multiple universities.
MFT solutions are attractive targets for a specific reason: they sit at the boundary of organizations and handle the most sensitive data by design. They’re often exposed to the internet (necessarily, for file transfer functionality), and they aggregate data from multiple sources. Compromising an MFT solution is like hitting a data warehouse — you get access to sensitive files from across the organization in a single breach.
The pattern is concerning. These products are often legacy enterprise software with codebases that predate modern secure development practices. They handle authentication, file storage, and web interfaces — a large attack surface with complex security requirements. And because they’re enterprise infrastructure rather than consumer-facing, they often don’t receive the same security scrutiny as more visible products.
Practical Response Steps#
If you have MOVEit Transfer in your environment, here’s what you should be doing right now:
Immediate actions:
- Apply the patch from Progress Software. If you can’t patch immediately, disable all HTTP and HTTPS traffic to your MOVEit Transfer environment by modifying firewall rules. The file transfer functionality through SFTP/FTP will continue to work.
- Check for the
human2.aspxwebshell in your MOVEit installation’swwwrootdirectory. - Review HTTP access logs for unexpected large data downloads or connections from unfamiliar IP addresses.
- Check for any unexpected files in the MOVEit Transfer directories.
Investigation steps:
- Review Azure/IIS logs for evidence of SQL injection attempts — look for unusual query strings containing SQL syntax.
- Check for any new user accounts that were created without authorization.
- Examine database audit logs for unexpected queries or data exports.
- If you find evidence of compromise, assume all data in the MOVEit environment has been exfiltrated and begin your incident response process.
The Broader Lesson#
I’ve been in this industry long enough to feel a deep frustration with the recurring pattern here. Enterprise file transfer products keep getting popped with the same classes of vulnerabilities — SQL injection, authentication bypass, arbitrary file upload. These aren’t exotic attack techniques. SQL injection is a solved problem in modern web development frameworks. The fact that it’s still appearing in enterprise software handling sensitive data in 2023 reflects a fundamental failure in software quality and security investment.
For organizations evaluating their file transfer infrastructure, the question isn’t just “is our current product patched?” It’s “does our file transfer architecture minimize the blast radius of a compromise?” This means thinking about segmentation — can your MFT solution access all your sensitive data, or is it limited to specific transfer jobs? It means thinking about monitoring — are you logging and alerting on unusual data access patterns? And it means thinking about alternatives — do you actually need a centralized MFT solution, or could you use more modern, segmented approaches to file transfer?
My Take#
Every time one of these MFT vulnerabilities drops, I have the same conversation with colleagues: “Why are we still running these things?” The answer is always the same — inertia, compliance requirements, partner dependencies, and the sheer difficulty of migrating file transfer workflows that have been running for years.
But the risk calculus is changing. Three major MFT zero-days in three years, each resulting in mass exploitation and data theft, should be a wake-up call. If your organization is running MOVEit Transfer, GoAnywhere, or similar legacy MFT products, now is the time to start a serious evaluation of your options — not just patching and moving on until the next zero-day drops.
In the short term, patch now. Investigate for compromise. Review your network segmentation around MFT infrastructure. In the longer term, start the conversation about whether your file transfer architecture needs a fundamental rethink. The attackers have clearly identified MFT solutions as high-value targets, and they’re not going to stop.