MOVEit Transfer Zero-Day Under Active Exploitation As CISA Sounds Alarm

The cybersecurity landscape faces a significant new threat as the Cybersecurity and Infrastructure Security Agency (CISA) officially added a critical vulnerability in Progress Software’s MOVEit Transfer platform to its Known Exploited Vulnerabilities (KEV) Catalog. The flaw, tracked as CVE-2023-34362, represents a severe SQL injection vulnerability that threat actors have been actively exploiting since at least May 27, 2023, to deploy web shells and exfiltrate sensitive data from organizations worldwide.

The Exploit Mechanics

CVE-2023-34362 targets MOVEit Transfer, a widely used managed file transfer (MFT) solution employed by enterprises to securely move data between systems, partners, and customers. The vulnerability exists in the application’s guest access functionality, specifically within the guestaccess.aspx file, where attackers can inject malicious SQL commands through crafted HTTP POST requests.

Once the SQL injection is triggered, the attackers deploy a custom web shell dubbed LEMURLOOT by security researchers at Mandiant. This web shell masquerades as legitimate MOVEit components, using filenames such as human.aspx, human2.aspx, and _human2.aspx to blend in with normal application files. The earliest samples of LEMURLOOT were uploaded to VirusTotal beginning May 28, 2023, indicating rapid weaponization of the zero-day.

LEMURLOOT provides the threat actors with a tailored toolkit designed specifically for MOVEit Transfer environments. The web shell can enumerate files and folders, retrieve configuration information, and create or delete user accounts with hard-coded credentials. Most alarmingly, in multiple cases observed by incident responders, data theft occurred within minutes of the web shell being deployed, highlighting the speed at which the attackers operate.

Affected Systems

The vulnerability impacts MOVEit Transfer versions 2023.0.0 and earlier releases. Organizations across a wide range of industries have been affected, with confirmed victims located in Canada, India, the United States, Italy, Pakistan, and Germany. The scope of the breach extends beyond what incident responders have directly observed, as the scanning and exploitation were sourced from IP addresses in the 5.252.188.0/22 range, suggesting automated, widespread targeting.

Microsoft attributed the campaign to the threat group tracked as Lace Tempest on June 2, 2023, and further analysis by Mandiant linked the activity to FIN11, a financially motivated group known for ransomware and data theft extortion. On June 6, the CL0P ransomware group claimed responsibility on their data leak site, threatening to publish stolen data if victims did not pay extortion fees. This aligns with the group’s established pattern of exploiting file transfer vulnerabilities for mass data theft campaigns.

The impact extends beyond on-premises data. LEMURLOOT can also steal Azure Storage Blob information, including credentials, from MOVEit Transfer application settings, meaning organizations using Azure cloud storage for their MOVEit appliances may have had their cloud data compromised as well.

The Mitigation Strategy

Progress Software released patches for CVE-2023-34362 on May 31, 2023, and all organizations running MOVEit Transfer must apply these updates immediately. Beyond patching, security teams should conduct thorough reviews of their MOVEit systems for indicators of compromise, including checking for suspicious files masquerading as human.aspx or human2.aspx, reviewing HTTP logs for unusual POST requests to guestaccess.aspx, and monitoring for unauthorized user account creation.

Organizations should also revoke and rotate any credentials that may have been exposed through the MOVEit Transfer configuration settings, particularly Azure Storage credentials. Network-level blocking of the known exploitation IP range 5.252.188.0/22 can provide additional protection for systems awaiting patch deployment.

Lessons Learned

The MOVEit zero-day incident underscores several critical lessons for the cybersecurity community. First, managed file transfer solutions are high-value targets because they handle sensitive data by design. Organizations must treat MFT platforms with the same security rigor applied to other critical infrastructure. Second, the speed of exploitation and data exfiltration demonstrates that threat actors have refined their operations to capitalize on zero-day vulnerabilities within days of initial exploitation. Third, supply chain and third-party software risks remain a dominant attack vector that requires continuous monitoring and rapid patch management.

User Action Required

If your organization uses MOVEit Transfer, take immediate action. Apply the security patches released by Progress Software, conduct a comprehensive forensic review of your systems, and notify affected stakeholders if data exfiltration is confirmed. With Bitcoin trading at approximately $27,249 and the broader crypto market capitalization exceeding $800 billion, the intersection of cybersecurity and financial data protection has never been more critical. Report any confirmed exploitation to CISA and relevant law enforcement agencies to assist in tracking the scope of this campaign.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any investment decisions.