Progress MOVEit Transfer < 2023.0.1 — RCE

A SQL injection in MOVEit Transfer's web application allows unauthenticated attackers to access and download stored files. Apply Progress's emergency patch immediately — Cl0p ransomware exploited this zero-day to steal data from thousands of organisations.

Published Jun 1, 2023 · Updated May 10, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

An unauthenticated attacker can access and download all files stored in the MOVEit Transfer system, which often includes sensitive documents, PII, financial data, and HR records transferred by enterprise customers. The web shell enables persistent access for ongoing data theft. Hundreds of organisations had data exfiltrated and then received ransom demands.

How the attack worksNo clicks needed

MOVEit Transfer's web application contains a SQL injection vulnerability in the SFTP or HTTP interface. An unauthenticated attacker can send a crafted HTTP request to inject SQL commands, which allows them to enumerate the database, retrieve stored file contents, and install a web shell for persistent access.

📧

Phishing link

→

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

●IT Administrators

●File Transfer Administrators

●IT Security

●Compliance Teams

●Running MOVEit Transfer 2023.0.0 and earlier, 2022.1.x prior to 2022.1.7, 2022.0.x prior to 2022.0.6, 2021.1.x prior to 2021.1.6

Affected OS versions

Windows Server 2016Windows Server 2019Windows Server 2022

Fixed inMOVEit Transfer 2023.0.1 / 2022.1.7 / 2022.0.6 / 2021.1.6

Real-world incidentsWhat we've seen

The Cl0p ransomware group exploited CVE-2023-34362 as a zero-day in late May 2023, having likely been active since 2021 with similar vulnerabilities. Over 2,500 organisations across banking, government, healthcare, and education had data exfiltrated. Notable victims included the US Department of Energy, British Airways, Shell, and dozens of US state and local governments. This became one of the largest mass-exploitation events of 2023.

How to patch

Manual remediation steps

⏱ 1 hour including compromise check and patch

Check for Web Shell / Compromise Indicators FIRST

# Search for recently created ASPX files in the MOVEit web root
$movedRoot = "C:\MOVEitTransfer\wwwroot"
Get-ChildItem $movedRoot -Recurse -Filter "*.aspx" |
  Where-Object { $_.CreationTime -gt "2023-05-01" } |
  Select-Object FullName, CreationTime, LastWriteTime

# Check IIS logs for suspicious activity
Get-ChildItem "C:\inetpub\logs\LogFiles" -Recurse -Filter "*.log" |
  Select-String -Pattern "guestaccess.aspx|human2.aspx|.cmdline" |
  Select-Object Line

If Compromised

Disconnect MOVEit Transfer from the internet IMMEDIATELY

Preserve all IIS and MOVEit log files before remediation

Contact Progress Support and your incident response team

Report to CISA if a government or critical infrastructure entity

Apply the Emergency Patch

Download the patch from https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023

Stop IIS and the MOVEit service before applying

Run the patch installer as Administrator

Verify the patch version

Verify

# Check MOVEit Transfer version in the registry or web UI
Get-ItemProperty "HKLM:\SOFTWARE\MOVEit Transfer" -ErrorAction SilentlyContinue

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2023-34362 ↗ NVD