MOVEit Transfer (CVE-2023-34362): The Cl0p Mass Exploitation Story

Last updated: April 26, 2026

The MOVEit Transfer vulnerability (CVE-2023-34362) became the breach story of 2023. Cl0p ransomware exploited a SQL injection in Progress Software’s managed file-transfer product to compromise over 2,000 organisations globally — including major government agencies, banks, and Indian-market third-party data processors. The total record-count exposure exceeded 90 million. This article covers the vulnerability, why it spread so far so fast, and the third-party risk lesson it baked in.

The vulnerability

MOVEit Transfer is enterprise file-transfer software — used to securely move large files between organisations. The vulnerability was a SQL injection in the web interface that allowed an unauthenticated attacker to:

1. Bypass authentication via SQLi
2. Upload a malicious .NET webshell
3. Use the webshell to exfiltrate every file the MOVEit instance had access to

From single HTTP request to data exfiltration: ~10 minutes per instance.

Why it spread so fast

MOVEit Transfer is the file-transfer pipe between thousands of organisations. Each MOVEit instance brokered files from many tenants. Compromise one MOVEit instance = breach all tenants whose data flowed through it.

Cl0p exploited the vulnerability at scale starting May 27, 2023 — pre-disclosure, as a zero-day. Within 48 hours, hundreds of MOVEit instances were compromised. Public disclosure came when defenders started finding the webshells. By then, the data was gone.

Indian impact

Indian organisations exposed via MOVEit included:

• Several BPO / IT services companies whose MOVEit instances handled client data
• Indian-market subsidiaries of multinational MOVEit users
• Third-party processors for Indian financial services (some via parent-company breach)

Many Indian organisations were unaware their data flowed through a MOVEit instance until breach notifications arrived.

The third-party risk lesson

Most affected organisations had never directly used MOVEit. Their data was in MOVEit because:

• A vendor used MOVEit to receive files from them
• A subsidiary used MOVEit and the data flowed up
• A regulatory reporting workflow included MOVEit somewhere in the chain

The vendor-risk inventory rarely captured fourth-party (vendor of vendor) exposure. The breach surfaced this gap industry-wide.

What changed in 2024-2026

• SBOM-equivalent for vendor data flows — “where does our data live across our vendor chain”
• SOC 2 / ISO 27001 expectations for vendor risk now include sub-processor disclosure
• DPDP Act §8 (third-party processor obligations) being interpreted to require vendor-of-vendor visibility
• Regulatory advisories (CERT-In, RBI) explicitly call out file-transfer-software risk

Defensive priorities

• Edge file-transfer software patched on critical-CVE 7-day SLA
• Vendor-of-vendor disclosure in all data-processing agreements
• Egress monitoring from file-transfer servers — outbound to non-business destinations is suspicious
• Zero-trust for file-transfer — data encrypted at rest with customer keys, not vendor keys
• Alternatives to MOVEit-class products — modern object-storage with signed URLs, vendor-managed file-transfer with strong contractual security obligations

The takeaway

MOVEit was a single CVE that compromised 2,000+ organisations because of how data flowed through a shared product. The lesson is fourth-party visibility — knowing where your data lives across your entire vendor chain. The next MOVEit-equivalent will be a SaaS that you didn’t know was in your data path. Build the inventory now.