The scale of the MOVEit Transfer breach keeps expanding. What started as a single zero-day vulnerability disclosure at the end of May has now ballooned into one of the largest mass-exploitation events of the year. Hundreds of organizations are confirmed affected, from government agencies to major corporations, with the Cl0p ransomware gang claiming responsibility and methodically leaking data from organizations that refuse to pay.
Every week brings new victims. The BBC, British Airways, Shell, the US Department of Energy, multiple US state governments, universities, and financial institutions — the list grows daily. And we’re likely still in the early stages of understanding the full blast radius.
The Vulnerability Chain#
The initial vulnerability, CVE-2023-34362, is a SQL injection flaw in the MOVEit Transfer web application. It’s about as classic as vulnerabilities get — an unauthenticated attacker can send crafted requests to the application endpoint and execute arbitrary SQL against the backend database. From there, it’s trivial to exfiltrate data or deploy webshells for persistent access.
Progress Software, the maker of MOVEit, patched the initial flaw on May 31. But the damage was already done. Cl0p had been exploiting the vulnerability since at least late May, quietly exfiltrating data from hundreds of MOVEit instances before anyone knew what was happening.
Then it got worse. On June 9, a second vulnerability (CVE-2023-35036) was discovered during code review prompted by the first. On June 15, a third (CVE-2023-35708). Each required emergency patches. The pattern suggests that MOVEit’s codebase has deep-seated security issues that weren’t caught during development. When you find one SQL injection bug, there are usually more.
Why Managed File Transfer Is a Perfect Target#
If you’ve worked in enterprise IT, you know managed file transfer (MFT) tools. They’re the workhorses that move sensitive data between organizations — financial records, healthcare data, HR files, legal documents. They’re often internet-facing by design, because they need to receive files from external partners.
This makes them perfect targets:
- Internet-facing: They have to be accessible, which means they’re in the attacker’s crosshairs
- High-value data: The files passing through MFT systems are exactly what attackers want
- Trusted position: MFT tools often have access to internal networks and databases
- Slow to patch: Organizations running critical file transfer infrastructure are often reluctant to apply patches quickly for fear of breaking integrations
- Legacy codebases: Many MFT products have been around for decades, with code written before modern security practices were standard
The MOVEit breach follows the same playbook as the Accellion FTA exploitation in late 2020 and early 2021, and the GoAnywhere MFT breach earlier this year. Cl0p has been systematically targeting MFT platforms. They’ve found a lucrative niche.
The Supply Chain Dimension#
What makes MOVEit particularly devastating is the supply chain amplification. Many affected organizations weren’t running MOVEit themselves — they were sharing data with a partner or vendor that was. Zellis, a UK-based payroll provider, used MOVEit to process payroll data. When Zellis was breached, the personal data of employees at the BBC, British Airways, Boots, and Aer Lingus was exposed.
This is the supply chain risk that security professionals have been warning about for years, manifested in the most straightforward way possible. Your security posture isn’t just about your own systems — it’s about every third party that touches your data.
For DevOps teams and infrastructure engineers, this should prompt some uncomfortable questions:
- Do you know every file transfer mechanism in your organization? Not just the official MFT platform, but the SFTP servers, the shared drives, the “temporary” solutions that became permanent.
- What data flows through these systems? Can you map the sensitivity of the data being transferred?
- How quickly can you patch internet-facing file transfer services? If the answer is “weeks,” you have a problem.
- Do your vendor contracts include security requirements for data handling? And do you verify compliance?
What We Should Be Doing#
The immediate response to MOVEit is patch, investigate, and contain. But the broader lesson is about the security of data-in-transit infrastructure.
In my experience, file transfer systems are among the most neglected components in enterprise security programs. They’re “boring” infrastructure — not as exciting as cloud-native services or AI platforms. They don’t get the attention or investment that web applications or API gateways receive. But they process some of the most sensitive data in the organization.
A few practical steps that every team should consider:
- Inventory your file transfer systems. All of them. Including the ones running on that server in the corner that nobody wants to touch.
- Minimize exposure. Not every MFT instance needs to face the internet. VPNs, IP whitelisting, and zero-trust networking can reduce the attack surface.
- Monitor aggressively. Unusual data volumes, unexpected access patterns, new files appearing in transfer directories — these are signals that something is wrong.
- Encrypt data at rest, not just in transit. If an attacker compromises the MFT server, encrypted data at rest limits the damage.
- Review vendor security. If your partners are moving your data through tools like MOVEit, their security is your security.
My Take#
I’ve seen enough breaches over the years to know that the biggest ones rarely involve exotic zero-days in cutting-edge software. They involve mundane vulnerabilities in mundane systems that handle extraordinarily sensitive data. MOVEit is a textbook example.
The Cl0p gang isn’t doing anything technically sophisticated here. SQL injection in a web application? We’ve known how to prevent that for twenty years. The sophistication is in the targeting — identifying that MFT platforms are high-value, widely deployed, and poorly defended.
This breach will keep expanding for weeks, possibly months. If your organization uses MOVEit — or any MFT platform — treat this as a wake-up call. And if you’re involved in DevOps or infrastructure, make sure file transfer systems get the same security attention as everything else in your stack.
This is part of my Security in Practice series, examining real-world security incidents and their implications for developers and infrastructure teams.