{ "id": "e2a684eb-4e3e-423e-ad31-58c10d62138e", "created_at": "2026-04-06T00:18:54.171127Z", "updated_at": "2026-04-10T03:30:21.133416Z", "deleted_at": null, "sha1_hash": "b4334e4d2faf302021cc45949d448aa893c6da1a", "title": "MOVEit Transfer Critical Vulnerability CVE-2023-34362 | Huntress", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 843167, "plain_text": "MOVEit Transfer Critical Vulnerability CVE-2023-34362 |\r\nHuntress\r\nArchived: 2026-04-05 14:54:15 UTC\r\nUPDATED: 1 June 2023 @ 1733 ET - Added shareable Huntress YARA rule for assistance in detection\r\neffort\r\nUPDATED: 1 June 2023 @ 2023 ET - Added Kostas community Sigma rule to assist in detection efforts\r\nUPDATED: 1 June 2023 @ 2029 ET - Added screenshots for the DLL that creates the human2.aspx file\r\nUPDATED: 2 June 2023 @ 1210 ET - Added CVE identification\r\nUPDATED: 2 June 2023 @ 1750 ET - Added registry locations for enriched investigation and analysis\r\nUPDATED: 5 June 2023 @ 1323 ET - Added video demonstration of proof-of-concept exploitation\r\nUPDATED 5 June 2023 @ 2116 ET - Added video demonstration of RCE and ransomware\r\nLAST UPDATED 12 June 2023 @ 1101 ET - Added latest CVE and other proof-of-concept details\r\nOn June 1, 2023, Huntress was made aware of active exploitation attempts against the MOVEit Transfer software\r\napplication. Previously, on May 31, 2023, the vendor Progress had just released a security advisory expressing\r\nthere is a critical vulnerability that could lead to unauthorized access.\r\nOn June 2, the industry dubbed this vulnerability as CVE-2023-34362.\r\nProgress brought down MOVEit Cloud as part of their response and investigation.\r\nUPDATE 5 June 2023:\r\nHuntress has fully recreated the attack chain exploiting MOVEit Transfer software. To the best of our knowledge,\r\ncurrently no one else has publicly done so.\r\nWe have uncovered that the initial phase of the attack, SQL injection, opens the door for even further compromise\r\n-- specifically, arbitrary code execution.\r\nSee this video demonstration below where we use our exploit to receive shell access with Meterpreter,\r\nescalate to NT AUTHORITY\\SYSTEM and detonate a cl0p ransomware payload.\r\nFor this brief video demonstration, Microsoft Defender is turned off. An adversary can certainly disable antivirus\r\nwith a local admin account.\r\nThis means that any unauthenticated adversary could trigger an exploit that instantly deploys ransomware or\r\nperforms any other malicious action. Malicious code would run under the MOVEit service account user\r\nhttps://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response\r\nPage 1 of 7\n\nmoveitsvc, which is in the local administrators group. The attacker could disable antivirus protections, or achieve\r\nany other arbitrary code execution.\r\nThe behavior that the industry observed, adding a human2.aspx webshell, is not necessary for attackers to\r\ncompromise the MOVEit Transfer software. It's \"an option\" that this specific threat chose to deploy for\r\npersistence, but the attack vector offers the ability to detonate ransomware right away. Some have already publicly\r\nreported to attackers pivoting to other file names.\r\nThe recommended guidance is still to patch and enable logging. From our own testing, the patch does effectively\r\nthwart our recreated exploit. \r\nAdditionally, a previous demonstration video showcased compromising the MOVEit Transfer API and application\r\nitself. With that alone, we upload, download, and potentially exfiltrate files as a threat actor would.\r\nUPDATE 12 June 2023:\r\nA new CVE for our findings has been released as CVE-2023-35036. This refers to different attack vectors for SQL\r\ninjection and the ability to leak data from the database. Additionally, Rapid7 and Horizon3.ai have publicly\r\nreleased their own recreated proof-of-concept exploit.\r\nMicrosoft has now attributed this threat to \"Lace Tempest\" (per their new naming scheme) or the group behind the\r\ncl0p ransomware gang. This is the same conclusion drawn by many across the threat intelligence community as\r\ncl0p was attributed to the previous GoAnywhere MFT attack, another file transfer software.\r\nAs usual, we will continue to update this blog article and our Reddit post with details as we find them.\r\nWhat it Does\r\nThere is a severe vulnerability in the MOVEit Transfer web application frontend that offers SQL injection, that\r\ncan be further abused to gain administrative access, exfiltrate files and gain arbitrary code execution.\r\nUltimately, the observed exploitation is a newly staged human2.aspx file created within the\r\nC:\\MOVEitTransfer\\wwwroot\\ directory. Note that there is no space between the words\r\nMOVEitTransfer. This filesystem path is based on install locations and is customizable (we've also seen it\r\npresent in other drives like \"E:\\\") so this location may vary for your environment.\r\nThis ASPX file stages a SQL database account to be used for further access, described in greater detail below.\r\nTechnical Analysis and Investigation\r\nHuntress has identified less than ten organizations with this MOVEit Transfer software in our partner base,\r\nhowever, Shodan suggests that there are over 2,500 servers publicly available on the open Internet.\r\nhttps://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response\r\nPage 2 of 7\n\nFrom our few organizations, only one has seen a full attack chain and all the matching indicators of compromise. \r\nReviewing the IIS access logs of the affected host, we believe the attack chain follows these operations.\r\n2023-05-30 17:05:50 192.168.###.### GET / - 443 - 5.252.190.181 user-agent - 2002023-05-30 17:06:00\r\n192.168.###.### POST /guestaccess.aspx - 443 - 5.252.191.14 user-agent - 2002023-05-30 17:06:00\r\n192.168.###.### POST /api/v1/token - 443 - 5.252.191.14 user-agent - 2002023-05-30 17:06:02 192.168.###.###\r\nGET /api/v1/folders - 443 - 5.252.191.14 user-agent - 2002023-05-30 17:06:02 192.168.###.### POST\r\n/api/v1/folders/605824912/files uploadType=resumable 443 - 5.252.191.14 user-agent - 2002023-05-30 17:06:02\r\n::1 POST /machine2.aspx - 80 - ::1 CWinInetHTTPClient - 2002023-05-30 17:06:02 192.168.###.### POST\r\n/moveitisapi/moveitisapi.dll action=m2 443 - 5.252.191.14 user-agent - 2002023-05-30 17:06:04 192.168.###.###\r\nPOST /guestaccess.aspx - 443 - 5.252.190.233 user-agent - 2002023-05-30 17:06:08 192.168.###.### PUT\r\n/api/v1/folders/605824912/files uploadType=resumable\u0026fileId=963061209 443 - 5.252.190.233 user-agent -\r\n5002023-05-30 17:06:08 ::1 POST /machine2.aspx - 80 - ::1 CWinInetHTTPClient - 2002023-05-30 17:06:08\r\n192.168.###.### POST /moveitisapi/moveitisapi.dll action=m2 443 - 5.252.190.233 user-agent - 2002023-05-30\r\n17:06:11 192.168.###.### POST /guestaccess.aspx - 443 - 5.252.190.116 user-agent - 2002023-05-30 17:06:21\r\n192.168.###.### GET /human2.aspx - 443 - 5.252.191.88 user-agent - 404\r\n(For the sake of brevity the full User-Agent header has been removed from this excerpt)\r\nmoveitisapi.dll is used to perform SQL injection when requested with specific headers, and guestaccess.aspx is\r\nused to prepare a session and extract CSRF tokens and other field values to perform further actions.\r\nNote that the 404 response code for the human2.aspx file may be appropriate, as (discussed below) the backdoor\r\nwill return this value if the correct password key is not provided. Perhaps either the threat actor was either\r\nimpatient in their upload process or just confirming the backdoor was staged properly.\r\nhttps://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response\r\nPage 3 of 7\n\nA full human2.aspx file is available for you to review.\r\nThis ASPX file:\r\nEnforces a static password for access, determined by the X-siLock-Comment HTTP header. If this\r\npassword is not supplied, the server returns a 404 with no further function. This password seems to vary,\r\nand for this reason, you will see multiple hashes being shared as IOCs for human2.aspx.\r\n Connects to the database and offers functionality based on a provided X-siLock-Step1 header to either:\r\n(-2) delete a Health Check Service user from the database\r\n(-1) leak Azure information via response header and return a GZIP stream of all files, file owners and file\r\nsizes, and institution data present in MOVEit\r\n(empty) retrieve any file specified by a X-siLocked-Step2 header (a folder ID) and X-SiLocked-Step3\r\nheader (file ID). If these header values are not provided, then it will add a new “Health Check Service”\r\nadmin user into the database and create a long-running active session for this account.\r\nFrom our Managed EDR service, we observed events on May 30 that this affected host had w3wp.exe execute the\r\nC# compiler csc.exe which timing lines up with the creation of our human2.aspx backdoor.\r\nAs this is compiled, the system will create a DLL under:\r\nC:\\Windows\\Microsoft.net\\Framework64\\v4.0.30319\\Temporary ASP.NET Files\\root\\9a11d1d0\\5debd404\r\nNote your .NET version number may differ or the last two subdirectories may have different hex values.\r\nIn this directory we observe a new artifact App_Web_wrpngvm2.dll (note again these random characters will\r\ndiffer) that was created at the same timestamp, which differs from a App_Web_5h5nuzvn.dll that was created a\r\nyear prior. After exploring this new artifact via dotPeek, it's apparent that it's the pre-compiled human2.aspx file\r\nmentioned above.\r\nhttps://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response\r\nPage 4 of 7\n\nThe human2_aspx class is responsible for populating the file contents.\r\nThe first time an ASPX file is \"rendered,\" .NET will pre-compile it and cache the results in these temporary files.\r\nThese are leftover artifacts from csc.exe preparing the newly added human2.aspx file.\r\nIf you have a second App_web_….dll you have likely been compromised as this indicates the backdoor is\r\ncompiled and present. Only one should be present for the normal function of the MOVEit application.\r\nDetection Efforts\r\nFor our threat hunting efforts, we have used this process monitoring query:\r\nprocess.parent.name.caseless: w3wp.exe and process.parent.command_line.text : \"moveitdmz pool\"\r\nThreat hunter Anthony Smith noted that there is a peculiar misspelling in the human2.aspx webshell that may\r\nmake for a fine addition to a YARA rule (note the variable name azureAccout):\r\nstring azureAccout = SystemSettings.AzureBlobStorageAccount;\r\nWith that said, we've created our YARA rule that includes this and more to be found here inside of our\r\npublic Threat Intel repository.\r\nAdditionally, Kostas has shared this Sigma rule to hunt for suspicious files including human2.aspx, dig\r\nthrough IIS event logs for activity similar to above, and detect malicious DLL files in the temporary\r\nASP.NET files location.\r\nHuntress has crafted detectors to flag any further rogue behavior from the w3wp.exe process staging either C# or\r\nVB compilations.\r\nInvestigation Tips\r\nhttps://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response\r\nPage 5 of 7\n\nThere are various settings that may come in handy while investigating compromised machines with MOVEit\r\ninstalled. A good place to start is with the HKEY_LOCAL_MACHINE\\SOFTWARE\\Standard\r\nNetworks\\siLock registry key. The following registry value can help you quickly discover where your root\r\ndirectory is:\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Standard Networks\\siLock-\u003eWebBaseDir\r\nYou may also find your log files for MOVEit at the following registry value:\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Standard Networks\\siLock-\u003eLogsBaseDir\r\nMachines that we have seen exploited had MySQL installed as the underlying DBMS. You can find information\r\nabout how this is configured at: HKEY_LOCAL_MACHINE\\SOFTWARE\\Standard\r\nNetworks\\siLock\\MySQL \r\nSince you may configure MOVEit to use MSSQL or Azure SQL, you may find settings at this registry key:\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Standard Networks\\siLock\\SQLServer\r\nWhat You Should Do\r\nProgress has released immediate mitigation measures to help prevent the exploitation of this vulnerability.\r\nUpdate MOVEit Transfer to one of these patched versions:\r\nMOVEit Transfer 2023.0.1\r\nMOVEit Transfer 2022.1.5\r\nMOVEit Transfer 2022.0.4\r\nMOVEit Transfer 2021.1.4\r\nMOVEit Transfer 2021.0.6\r\nIf updating with the above patch is not feasible for your organization, their suggested mitigation is to\r\ndisable HTTP(s) traffic to MOVEit Transfer by adding firewall deny rules to ports 80 and 443. Note that\r\nthis will essentially take your MOVEit Transfer application out of service. \r\nIf you are using MOVEit and aren't already working with our team, Huntress is offering our Managed EDR at no\r\ncharge for newly deployed endpoints through the end of June. Our agent is compatible with any combination of\r\nsecurity tools and deployment is simple—get our team of 24/7 threat hunters watching your back in under 15\r\nminutes. Get started here.\r\nIndicators of Attack (IOAs)\r\nFiles\r\nC:\\MOVEitTransfer\\wwwroot\\human2.aspx\r\nIP addresses\r\n89.39.105[.]108 (WorldStream)\r\nhttps://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response\r\nPage 6 of 7\n\n5.252.190[.]0/24\r\n5.252.189-195[.]x\r\n148.113.152[.]144 (reported by the community)\r\n138.197.152[.]201\r\n209.97.137[.]33\r\nResources and References\r\nThe latest from Progress: https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023\r\nReddit r/sysadmin:\r\nhttps://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/\r\nBleeping Computer's reporting: https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/\r\nTrustedSec's reporting: https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/\r\nRapid7's reporting: https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/\r\nNHS Digital's reporting: https://digital.nhs.uk/cyber-alerts/2023/cc-4326\r\nThe Record's reporting: https://therecord.media/moveit-transfer-tool-zero-day-exploited\r\nHelp Net Security's reporting: https://www.helpnetsecurity.com/2023/06/01/moveit-transfer-vulnerability/\r\nThanks to Huntress team members Kaleigh Slayton, Jason Phelps, Dray Agha, Sharon Martin, Matt\r\nAnderson, Caleb Stewart, Joe Slowik, Anthony Smith, David Carter, Jamie Levy and many others for their\r\ncontributions to this writeup and rapid response effort.\r\nSource: https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response\r\nhttps://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response" ], "report_names": [ "moveit-transfer-critical-vulnerability-rapid-response" ], "threat_actors": [ { "id": "c61fb5f8-fcd6-43e8-8b2d-4e81541589f7", "created_at": "2023-11-14T02:00:07.071699Z", "updated_at": "2026-04-10T02:00:03.440831Z", "deleted_at": null, "main_name": "DEV-0950", "aliases": [ "Lace Tempest" ], "source_name": "MISPGALAXY:DEV-0950", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "1db21349-11d6-4e57-805c-fb1e23a8acab", "created_at": "2022-10-25T16:07:23.630365Z", "updated_at": "2026-04-10T02:00:04.694622Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "Chubby Scorpius", "DEV-0950", "Lace Tempest", "Operation Cyclone" ], "source_name": "ETDA:FIN11", "tools": [ "AZORult", "Amadey", "AmmyyRAT", "AndroMut", "BLUESTEAL", "Cl0p", "EMASTEAL", "FLOWERPIPE", "FORKBEARD", "FRIENDSPEAK", "FlawedAmmyy", "GazGolder", "Get2", "GetandGo", "JESTBOT", "MINEBRIDGE", "MINEBRIDGE RAT", "MINEDOOR", "MIXLABEL", "Meterpreter", "NAILGUN", "POPFLASH", "PuffStealer", "Rultazo", "SALTLICK", "SCRAPMINT", "SHORTBENCH", "SLOWROLL", "SPOONBEARD", "TiniMet", "TinyMet", "VIDAR", "Vidar Stealer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434734, "ts_updated_at": 1775791821, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b4334e4d2faf302021cc45949d448aa893c6da1a.pdf", "text": "https://archive.orkl.eu/b4334e4d2faf302021cc45949d448aa893c6da1a.txt", "img": "https://archive.orkl.eu/b4334e4d2faf302021cc45949d448aa893c6da1a.jpg" } }