You can be the victim of a vulnerability in software you don't run
Most of the 90-plus million people whose data Cl0p stole through MOVEit had never heard of it, and their data leaked through payroll firms and service bureaus, not their own systems. CVE-2023-34362 is the case study in third-party data risk you can't patch your way out of.
The defining feature of the MOVEit breach isn’t the bug; it’s who got hurt. CVE-2023-34362 was a SQL injection in Progress MOVEit Transfer, and the Cl0p ransomware group used it to steal data from more than 2,700 organizations and expose the personal information of over 90 million individuals, per the running tallies of the campaign. The overwhelming majority of those people had never heard of MOVEit, didn’t use it, and weren’t customers of any company that ran it directly. Their data leaked anyway, because it was sitting inside a payroll processor, a benefits administrator, a government service bureau, or a bank that used MOVEit to move files. You can be the victim of a vulnerability in software you don’t run, operated by a company you’ve never dealt with, holding data you gave to someone else entirely.
That’s the lesson MOVEit teaches better than any other entry in the catalog, and it changes what “vulnerability management” has to mean.
What the bug is
CVE-2023-34362 is an unauthenticated SQL injection (CWE-89) in the MOVEit Transfer web application, CVSS 9.8. Depending on the backend database, an attacker can read and manipulate the database, and the Cl0p operators chained it to deploy a custom ASP.NET web shell, LEMURLOOT, for persistence and bulk data theft. Progress shipped a patch on May 31, 2023, and CISA added it to the Known Exploited Vulnerabilities catalog on June 2 with the ransomware flag, but exploitation had begun as a zero-day around May 27, before the patch existed. The affected version list spans the 2021, 2022, and 2023 release lines.
Notably, Cl0p didn’t encrypt anything. The MOVEit campaign was pure data-theft extortion: steal the files, then pressure victims by threatening to publish on a leak site. That model is why the human impact was a count of exposed individuals rather than ransom payments, and why the consequences kept surfacing for months as one organization after another disclosed that their data had transited a breached MOVEit instance somewhere upstream.
Why this is a different kind of risk
Traditional vulnerability management is bounded by your own asset inventory: find the vulnerable software you run, patch it, done. MOVEit broke that boundary. The exposure for most victims wasn’t “do we run MOVEit.” It was “does anyone who holds our data, or our employees’ or customers’ data, run MOVEit.” That’s a question your patch program can’t answer and your firewall can’t address, because the vulnerable system is on someone else’s network.
A few uncomfortable implications follow:
- Your data has a footprint you don’t control. Every vendor, processor, and partner you share data with extends your breach surface. When one of them runs a vulnerable file-transfer tool, your data is exposed regardless of how well you patch your own.
- File-transfer software is a concentrated target for exactly this reason. Managed file transfer tools like MOVEit, GoAnywhere, and Cleo exist to move bulk sensitive data between organizations, which makes them a chokepoint where lots of other people’s data piles up. Cl0p has systematically hunted bugs in this category because one compromised MFT server yields many organizations’ data at once.
- You often learn about it late, from someone else. Third-party breaches surface through notifications from the breached vendor, sometimes months later, by which point the data is long gone.
What to do
The response splits by whether you run the software and, more importantly, by your relationship to the data.
- If you run MOVEit Transfer, patch and assume breach for the zero-day window. Get to a fixed version, hunt for the LEMURLOOT web shell and the indicators in CISA’s advisory, and treat an instance that was internet-facing and unpatched in late May 2023 as compromised. The web interface should not be exposed to the internet.
- Map where your sensitive data actually lives, including third parties. You can’t defend data you’ve lost track of. Maintain an inventory of which vendors and processors hold your data and your customers’ and employees’ data, and what categories. This is the prerequisite for reasoning about third-party exposure at all.
- Build third-party risk into your security program as a first-class activity. Vendor security questionnaires, contractual breach-notification requirements, and minimizing the data you hand out all reduce the blast radius when a vendor gets hit. You can’t patch their MOVEit, but you can limit what of yours is sitting in it and how fast you hear when something goes wrong.
- Minimize and expire shared data. Data you never sent to a vendor can’t leak from that vendor. Data you sent and they deleted on schedule is gone before the breach. Aggressive data minimization and retention limits are among the few controls that actually shrink third-party exposure.
- Have a notification-response plan. When the “your data was involved in a third-party incident” letter arrives, you need a process to assess impact, notify affected parties, and meet your own regulatory obligations, because the upstream breach becomes your disclosure problem.
The reframe is the part that outlives this CVE. Vulnerability management framed purely as “patch our stuff” is necessary and badly incomplete, because your risk now includes software running on networks you’ll never touch, holding data you handed over in good faith. MOVEit turned a single SQL injection into a 90-million-person data breach precisely by exploiting the chokepoints where many organizations’ data converges. Patch what you run, and then do the harder work: know where your data goes, demand that the people holding it protect and report, and keep as little of it out there as the business can tolerate. We track the file-transfer and third-party-software entries with particular attention, because those are the bugs where your exposure isn’t on your network at all.
Sources
- CISA Known Exploited Vulnerabilities Catalog
- CISA AA23-158A: Cl0p ransomware gang exploits MOVEit vulnerability — 2023-06-07
- NVD CVE-2023-34362 — 2023-06-02
- Progress: MOVEit Transfer critical vulnerability (31 May 2023) — 2023-05-31
- Unit 42: Threat brief, MOVEit Transfer SQL injection vulnerabilities — 2023-06
- Wikipedia: 2023 MOVEit data breach
Share
Related field notes
-
Before MOVEit and GoAnywhere, Cl0p's playbook was born on a 20-year-old Accellion box
The Accellion FTA breaches of late 2020 are where Cl0p's mass-data-theft-and-extortion model started. Four CVEs in a legacy file-transfer appliance, exploited to steal data from dozens of organizations. The product was already two decades old and on its way out.
-
When the build tool, the GitHub Action, and sudo are the vulnerability
tj-actions, a poisoned GitHub Action; Sudo's chroot bug; 7-Zip's Mark-of-the-Web bypass; Git, FreeType, Erlang/OTP, PHPMailer, Vite, jQuery. The developer-tooling and dependency entries are the supply chain itself getting exploited, the layer beneath the apps you ship.
-
The dev stack is production: RCEs in CI servers, AI tools, and CMSes you exposed
Jenkins, GitLab, Tomcat, OFBiz, Craft CMS, plus a new wave of AI/dev tools, Langflow, n8n, Marimo, Trivy, Livewire. The DevTools and supply-chain entries share a blind spot: the development and automation stack is internet-facing production infrastructure, and it gets exploited like it.
One email, every weekday morning.
You're in. Check your inbox.