Moveit Transfer SQL Injection Vulnerability (CVE-2023-34362)

Executive Summary

MOVEit Transfer is a managed file transfer (MFT) application designed to facilitate secure collaboration and automate the transfer of sensitive data. 

A SQL injection vulnerability has been identified in the MOVEit Transfer web application, present in versions prior to 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1). This vulnerability poses a significant security risk. When exploited the initial vulnerability (CVE-2023-34362) injects a web shell into the MOVEit Transfer server, allowing malicious actors to perform various actions such as enumerating files and directories, accessing configuration details, downloading files, and managing MOVEit server user accounts. This breach also posed a risk of unauthorized access to Azure system settings, associated keys, and containers.

Unit 42's investigation identified the earliest signs of compromise on May 27, with the tactics, techniques, and procedures (TTPs) employed aligning closely with those documented by other organizations in their initial reports. Shodan data reveals the presence of more than 2500 servers running this particular software on the Internet.

This post will detail our research findings thus far and offer recommendations for detection, response, and protection measures. Please refer to the changelog provided at the end of this post for any recently updated information.

Affected Versions


Progress maintains a webpage on their community website where the official patches for its supported versions are posted.


Mid January 2023

May 27 

May 28, 2023 

May 31 2023

5 June 2023

June 6, 2023

Attack Anatomy

moveitisapi.dll is used to perform SQL injection when requested with specific headers

guestaccess.aspx is used to prepare a session and extract CSRF tokens and other field values to perform further actions. 

 human2.aspx  the web shell named LEMURLOOT, which demands a password for access. It utilizes a GET request for connection. LEMURLOOT is coded in C# and is specifically crafted to exploit the MOVEit Transfer platform. This web shell verifies incoming HTTP requests through a predefined password and can execute commands to download files from the MOVEit Transfer system, extract Azure system settings, fetch comprehensive record data, as well as create, insert, or delete specific user accounts. When providing a response, this web shell returns data in a compressed format using gzip.

The SQL Injection

The SQL Injection is triggered by sending a POST request using the MOVEitISAPI.dll as described here.

API Access

A post request to /api/v1/token allows to retrieve an access token as described here.

The File Upload

The attacker may have initiated a "resumable" file upload, employed SQL injection to modify the upload's target location, and proceeded with the file upload process. This may be the mechanism used to upload the webshell.

From here, all the attack needs to do is request the webshell and enter the correct password to remotely control the compromised server.

The Webshell - human2.apsx

The Webshell presents the following TTPs and Logic.


Initial Access


Command and Control


Defense Evasion

Defend & Respond

Threat Hunt

Using the Registry

HKEY_LOCAL_MACHINE\SOFTWARE\Standard Networks\siLock->WebBaseDir

HKEY_LOCAL_MACHINE\SOFTWARE\Standard Networks\siLock->LogsBaseDir

Indicators of Compromise

User Agents








C:\Windows\\Framework64\v4.0.30319\Temporary ASP.NET Files\root\9a11d1d0\5debd404