TechEarl

The MOVEit Breach: SQL Injection at Supply-Chain Scale

In 2023 the Cl0p gang exploited a SQL injection zero-day in MOVEit Transfer to breach thousands of organisations and tens of millions of people in weeks. It is proof that SQL injection still causes the largest breaches, and a lesson in managed-file-transfer supply-chain risk. A post-mortem of the attack chain.

Ishan Karunaratne⏱️ 9 min readUpdated
Share thisCopied
How the 2023 MOVEit breach (CVE-2023-34362) used a SQL injection zero-day and the LEMURLOOT web shell to hit thousands of organisations. The attack chain.

In late May 2023, the Cl0p extortion gang began exploiting a previously unknown SQL injection vulnerability in MOVEit Transfer, a widely used managed-file-transfer product. By the time Progress Software disclosed and patched it on 31 May, the attackers had already used it against internet-facing MOVEit servers around the world. Over the following months the breach grew into one of the largest of the year: roughly 2,700 organisations and tens of millions of people, with independent running tallies reaching around 95 million individuals. The root cause was SQL injection, catalogued as CVE-2023-34362, the same class of bug behind the TalkTalk and Heartland breaches a decade earlier.

I use this case to retire the idea that SQL injection is a solved, legacy problem. In 2023, a single SQLi zero-day in one product produced one of the year's biggest breaches, and it did so at supply-chain scale, hitting thousands of organisations that had never even heard of MOVEit until their data appeared on an extortion site.

The attack chain

Editorial illustration of the MOVEit breach: a sealed file-transfer pipe cracked open by a reaching hand pulling out folders, with the leak fanning outward to many downstream buildings.
One cracked file-transfer appliance, and the data of thousands of downstream organisations leaks out through it.

The technical chain is a clean, modern example of how a SQL injection becomes full server compromise.

  1. SQL injection into the web front end. MOVEit Transfer's web application had a SQL injection vulnerability reachable without authentication. The attackers sent crafted requests that the application concatenated into database queries, exactly the mechanism covered in the SQL injection deep dive, letting them manipulate the database.
  2. From injection to a web shell. They used the injection to plant a malicious file, a web shell named human2.aspx (chosen to sit beside MOVEit's legitimate human.aspx), which security researchers named LEMURLOOT. The web shell gave the attackers a controllable foothold on the server, authenticated by a hardcoded password they supplied in a custom HTTP header.
  3. Data exfiltration. With the web shell in place, the attackers enumerated and exfiltrated the files and metadata stored on the MOVEit server, often compressing the data and pulling it out within minutes of compromise. MOVEit's whole purpose is moving sensitive files between organisations, so the data on these servers was exactly the high-value material the attackers wanted.

There was no encryption and no ransomware payload on the victims' systems. Cl0p has shifted to pure data theft and extortion: steal the files, then threaten to publish them on a leak site unless paid, naming victims publicly to apply pressure.

Why it reached thousands: the supply-chain multiplier

The single most important thing to understand about MOVEit is that the ~2,700 breached organisations were not 2,700 companies that each ran a vulnerable server. MOVEit is a product that other organisations run to move data on behalf of their clients. Payroll providers, benefits administrators, government agencies, and service firms run MOVEit, and their clients' data sits inside it.

So when the payroll-services vendor Zellis was hit through MOVEit, the breach cascaded to its customers, including the BBC, British Airways, and Boots, none of whom ran MOVEit themselves. One vulnerable internet-facing appliance fanned out to every downstream organisation whose data passed through it. That is the supply-chain multiplier, and it is why a single SQL injection in a single product became a breach affecting tens of millions of people.

It was also not Cl0p's first time doing this. MOVEit was the third managed-file-transfer product the group had hit with a zero-day, after Accellion FTA and Fortra's GoAnywhere. They have systematically targeted this category precisely because of the multiplier: file-transfer appliances are internet-facing, full of other people's sensitive data, and each one is a hub with many spokes.

The scale

FigureWhat it was
CVE-2023-34362The SQL injection vulnerability in MOVEit Transfer.
~2,700+ organisationsBreached directly or downstream, by independent researcher tallies.
~95 million individualsPeople whose data was exposed, per Emsisoft's running tally, a figure that grew for over a year.
Cl0p (TA505 / FIN11)The extortion group behind it, also tracked as Lace Tempest.

The counts deserve a caveat: the organisation and individual totals come from independent researchers aggregating public disclosures, they grew steadily for more than a year as victims came forward, and they are widely considered undercounts rather than precise figures. Estimates of the aggregate financial cost run into the billions, but those are extrapolations from per-record cost models, not measured losses. The shape of the impact is clear even if the exact decimal is not: this was a breach measured in thousands of organisations and tens of millions of people, from one SQL injection bug.

The lessons I take from it

SQL injection is not a legacy problem. The single most important takeaway. A bug class first documented in the 1990s produced one of 2023's largest breaches. The defences (parameterised queries, treating all input as untrusted, security review of database access code) are the same as they have always been, and the reason SQLi persists is not that the fix is unknown but that it is missed, especially in mature, widely deployed products that everyone assumed were hardened.

Internet-facing appliances are high-value targets, and you inherit their risk. If you run a managed-file-transfer product, a VPN, or any internet-facing appliance that holds sensitive data, it is a prime target and it must be patched fast, monitored closely, and ideally not exposed to the whole internet. And if a vendor handles your data through such a product, their vulnerability is your breach. Vendor and supply-chain risk is not abstract; MOVEit is what it looks like.

Patch speed is the whole game for a zero-day. Cl0p was exploiting MOVEit before the patch existed, so for the earliest victims there was no patch to apply. But the window between disclosure and mass scanning is measured in hours, and the organisations that patched MOVEit immediately on 31 May fared far better than those that waited. For internet-facing software, an emergency patch is an emergency.

Know where your data lives, including in other companies. Many MOVEit victims first learned they were affected when a vendor told them. A current inventory of which third parties hold your data, and through what software, is what lets you respond on day one instead of week six.

Where to go next

For the mechanics of the bug at the root of this, the SQL injection deep dive covers how injection becomes server compromise, and the learning path sequences the whole topic. The older breaches in the same cluster are the TalkTalk breach, where injection was the entire attack, and the Heartland breach, where it was the entry point to a larger operation. For the full set of web attack classes, see the web application security vulnerabilities taxonomy.

Sources

Authoritative references this article was fact-checked against.

TagsSecuritySQL InjectionData BreachMOVEitRansomwareCase Study

Found this useful? Pass it on.

Copied

Ishan Karunaratne

Software Systems Architect · Senior Software Engineer · Engineering Leadership

Software systems architect and senior software engineer with more than two decades designing, building, and running production software, Linux systems, and DevOps infrastructure, and lately working AI into the stack. Now a CTO, though what I write here is drawn from the full arc of that work, across architecture, engineering, and operations, not any single job.

More by IshanLinkedIn
Keep reading

Related posts

How SQL injection opened the 2008 Heartland breach of ~130M cards. The pivot to payment networks, the packet sniffer, and why PCI compliance was not enough.
Security

The Heartland Breach: SQL Injection as the Front Door

The 2008 Heartland Payment Systems breach exposed around 130 million card numbers, the largest of its era. SQL injection was only the entry point: the attackers used it to land on the corporate network, spent months pivoting to the payment systems, then sniffed card data in transit. A post-mortem on the attack chain, the compliance illusion, and the lessons.

The SQL injection tools worth using in 2026: sqlmap, ghauri, jSQL Injection, NoSQLMap, Burp Suite. Compared with honest trade-offs.
Security

The Best SQL Injection Tools in 2026

The SQL injection tools I actually reach for in 2026: sqlmap, ghauri, jSQL Injection, NoSQLMap, Havij (and why I do not use it), plus Burp Suite's role and the manual workflow. Strengths, weaknesses, and how I decide which to use.

Referer-header SQL injection in click-attribution, analytics, anti-CSRF logging. Vulnerable code, curl exploit, sqlmap commands, defence.
Security

Referer Header SQL Injection: A Practical Guide

Referer-header SQL injection lives in click-attribution tables, marketing analytics, and anti-CSRF logging. Same shape as User-Agent injection but distinct enough to need its own treatment. Vulnerable code, curl exploit, sqlmap commands, defence.