Connect with us

Hi, what are you looking for?



Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations

A zero-day vulnerability in Progress Software’s MOVEit Transfer product has been exploited to hack organizations and steal their data.

MOVEit zero-day exploited

A zero-day vulnerability affecting Progress Software’s MOVEit Transfer product has been exploited to hack organizations and steal their data.

Progress Software warned on May 31 that its MOVEit Transfer managed file transfer (MFT) software is affected by a critical SQL injection vulnerability that can be exploited by an unauthenticated attacker to access MOVEit Transfer databases.

“Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements,” the vendor said. 

A CVE identifier is in the process of being assigned to the vulnerability. 

Progress’ advisory is confusing as it states that the company is working on patches, but it also lists updated versions that should fix the security hole. Patches should be included in versions 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5) and 2023.0.1 (15.0.1). The cloud version of the product appears to be impacted as well.

The company’s advisory does not clearly state that the vulnerability has been exploited in the wild, but it does tell customers that patching is extremely important and it does provide indicators of compromise (IoCs) associated with the observed attacks.

Several cybersecurity firms have reported seeing attacks involving the MOVEit zero-day, including Huntress, Rapid7, TrustedSec, GreyNoise, and Volexity.

Advertisement. Scroll to continue reading.

TrustedSec reported that mass exploitation started on May 28, with the attackers likely taking advantage of Memorial Day to increase their chances of being able to steal data without being detected. There is also some indication of limited exploitation prior to the holiday weekend. 

GreyNoise reported seeing scanning activity that could be related to this vulnerability as early as March 3. 

In the attacks observed in recent days, threat actors seem to have exploited the zero-day to deploy a webshell/backdoor in a file named ‘human2.aspx’ in the ‘wwwroot’ folder of the MOVEit software. This backdoor allows them to obtain a list of files and users associated with the MFT product, download files within MOVEit, and add a backdoor admin user.

Google-owned Mandiant has been investigating intrusions related to the zero-day attack and the company told SecurityWeek that it has seen “mass exploitation and broad data theft” in the past few days. 

Major organizations appear to be impacted. It’s unclear exactly how many are affected, but a Shodan search shows roughly 2,500 internet-exposed instances of MOVEit Transfer, and the vendor says its products are used by hundreds of thousands of enterprises, including 1,700 software firms.

Researcher Kevin Beaumont pointed out that one of the exposed MOVEit instances appears to belong to the US Department of Homeland Security (DHS). The DHS’s Cybersecurity and Infrastructure Security Agency (CISA) on Thursday issued an alert to warn organizations about the zero-day. A vast majority of the internet-exposed instances are indeed located in the United States. 

The attackers appear to be using the exploit to steal potentially valuable data, which, as Beaumont noted, indicates that a ransomware or extortion group is behind the attacks. 

If confirmed, this would be the second popular MFT product targeted by cybercriminals in recent months. A vulnerability affecting Fortra’s GoAnywhere software has been used by a ransomware group to steal data from many organizations.

Related: GoAnywhere Zero-Day Attack Hits Major Orgs  

Related: Barracuda Zero-Day Exploited to Deliver Malware for Months Before Discovery

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.