← Incident Index
CivilizationalEnterprise Software·May 31, 2023Draft

Progress Software (MOVEit): CVE-2023-34362 SQL injection in MOVEit Transfer leads to mass data theft

A pre-authentication SQL injection vulnerability in Progress's MOVEit Transfer file-transfer software was exploited by the Cl0p ransomware group to exfiltrate data from over 2,700 organisations.

Velocity Governance perspective· Sentinel-10 overlap: 2 of 3

2 of the 3 practices that failed in this incident are part of the Sentinel-10 — the engineering protocols Concordance flags as most degraded under AI-accelerated development.

This incident pre-dates today's AI-velocity surge. The thesis is that the same practices that failed here will fail faster under AI velocity if not actively governed. Read the Velocity Governance thesis →

Impact

$12.0B
Economic impact
95.0M
Affected
Multiple US state AG investigations, CISA emergency directive
Regulatory action

Affected 2,700+ organisations and 95M+ individuals. IBM's Cost of a Data Breach Report estimated cumulative cost at $12B+. Among largest supply-chain breaches in history.

Root cause (from published RCA)

A SQL injection vulnerability existed in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to the MOVEit Transfer database. The vulnerability had existed in the codebase prior to discovery and was not detected by internal security scanning.

Concordance protocols that map to this root cause

Click any protocol to see every other indexed incident where it failed.

Protocol 4.6Security Analysis· TestingSENTINELsee all incidents →
SAST did not detect the SQL injection vulnerability before release despite it being a pre-auth flaw in a file-transfer application.
Protocol 4.7Dependency Scanning· Testingsee all incidents →
Dependency / vulnerability scanning did not flag the affected component in customer environments before active exploitation.
Protocol 2.6Dependency Management· DesignSENTINELsee all incidents →
Dependency management posture across MOVEit-using organisations: most ran unpatched versions because update mechanisms were customer-pull, not vendor-push.

Primary sources

MOVEit Transfer Critical Vulnerability — Progress Security Bulletin
Progress Software · May 31, 2023
CVE-2023-34362
NIST NVD · June 2, 2023
CISA Advisory AA23-158A: #StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362
CISA · June 7, 2023

Related incidents

Other incidents that failed at least one of the same protocols.

Apache Software Foundation (Log4j)Dec 2021
CVE-2021-44228 — JNDI injection in Log4j enables remote code execution
xz utils (Tukaani Project)Mar 2024
CVE-2024-3094 — multi-year social-engineering attack inserts backdoor …
SolarWindsDec 2020
SUNBURST malware injected into Orion build pipeline compromises 18,000…
OpenSSL ProjectApr 2014
CVE-2014-0160 — Heartbleed buffer over-read in OpenSSL TLS heartbeat
#supply-chain#sql-injection#sast-gap#cve#ransomware
Check your repo against these protocols.
Concordance scores any public GitHub repo against all 50 engineering protocols in 60 seconds. No signup, no install.
Run a free scan →
Concordance Incident Index entry · CC BY 4.0 · Methodology · Errata: hello@concordancelabs.com