Deep-Dive: Up close and personal with the MOVEit zero-day vulnerability
Software supply chain cyberattacks are becoming increasingly common, sparking a flurry of legislative changes at the US government level, while enterprises scramble to mitigate their expansive risk profile and rapidly improve software quality. There have been three zero-day vulnerabilities linked to file-sharing services this year alone, with the largest and most destructive coming in the form of the MOVEit mass exploit.
Spearheaded by the CL0P ransomware group, the MOVEit incident has dominated cybersecurity news for some time, with more than 1,000 organizations impacted. This number is set to keep growing, rendering this one of the most potent software supply chain attacks since Solarwinds in 2021.
The catalyst for this widespread breach was a cluster of SQL injection vulnerabilities, ultimately receiving a severity score of 9.8 out of 10 from MITRE. SQL injection has been the bugbear of security professionals since the late 90s, and despite being a fairly straightforward fix, it continues to find its way into modern software and provide a red carpet to sensitive data for threat actors.
The MOVEit scenario is a little different from what many developers and AppSec professionals may have previously experienced, and you can test your SQLi-slaying skills in a live simulation right here:
>>> PLAY THE MOVEit MISSION
The vulnerability: SQL injection
How exactly was SQL injection used to exploit Progress Software’s MOVEit file transfer application?
CL0P ransomware group was able to exploit SQL injection vulnerability CVE-2023-34362, granting them unrestricted and unauthorized access to MOVEit’s database. From there, they were able to install LEMURLOOT, a web shell that would ultimately allow them to run several high-risk, critical processes like retrieval of system settings, enumerating the SQL database, file retrieval from the MOVEit Transfer system, and creating a new account with full administration privileges.
Needless to say, this attack vector may be the result of a relatively simple error - one that could be put down to the perpetual use of poor coding patterns - but its potential to cause ongoing problems at the enterprise level is immense.
Comparable to the MOVEit exploit, let’s take a look at this SQLi explainer, which simulates the method of injecting and executing malicious SQL:
This query string and variable:
string emailAddress = "contact@scw.com";
var query = $"SELECT u.UserName From Users as u WHERE u.Email = '{emailAddress}'";
will result in the following query:
var query = $"SELECT u.UserName From Users as u WHERE u.Email = 'contact@scw.com'";
… and with malicious crafted input:
string emailAddress = "contact@scw.com'; DELETE FROM Invoices WHERE Id = 2;--";
var query = $"SELECT u.UserName From Users as u WHERE u.Email = '{emailAddress}'";
it will become:
var query = $"SELECT u.UserName From Users as u WHERE u.Email = 'contact@scw.com'; DELETE FROM Invoices WHERE Id = 2;--'";
How does that look in flight?
Note that due to the string concatenation, the input is being interpreted as SQL syntax. First, a single quote is added to make sure the SELECT statement is valid SQL syntax. Next, a semicolon is added in order to terminate the first statement.
Once this is in place, a valid DELETE statement is added, followed by two hyphens to comment out any trailing characters (the single quote). An UPDATE statement could just as easily be added, for example, if the malicious SQL was to update users' roles or passwords.
Try it out for yourself in this playable mission:
While relatively straightforward, SQLi remains a powerful attack vector, and one that is all too common. In the case of MOVEit, this exploit made way for a damaging backdoor installation, and a group of further attacks of similar severity.
How can you mitigate SQL injection risk?
For any companies utilizing MOVEit as part of their business operations, it is imperative that they follow the recommended remediation advice from Progress Software. This includes but is not limited to applying security patches as an emergency-level priority.
For SQL injection in general, check out our comprehensive guide.
Want to learn more about how to write secure code and mitigate risk? Try out our SQL injection challenge for free.
If you’re interested in getting more free coding guidelines, check out Secure Code Coach to help you stay on top of secure coding best practices.
The MOVEit scenario is a little different from what many developers and AppSec professionals may have previously experienced, and you can test your SQLi-slaying skills in a live simulation right here.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demo
Laura Verheyde is a software developer at Secure Code Warrior focused on researching vulnerabilities and creating content for Missions and Coding labs.
Software supply chain cyberattacks are becoming increasingly common, sparking a flurry of legislative changes at the US government level, while enterprises scramble to mitigate their expansive risk profile and rapidly improve software quality. There have been three zero-day vulnerabilities linked to file-sharing services this year alone, with the largest and most destructive coming in the form of the MOVEit mass exploit.
Spearheaded by the CL0P ransomware group, the MOVEit incident has dominated cybersecurity news for some time, with more than 1,000 organizations impacted. This number is set to keep growing, rendering this one of the most potent software supply chain attacks since Solarwinds in 2021.
The catalyst for this widespread breach was a cluster of SQL injection vulnerabilities, ultimately receiving a severity score of 9.8 out of 10 from MITRE. SQL injection has been the bugbear of security professionals since the late 90s, and despite being a fairly straightforward fix, it continues to find its way into modern software and provide a red carpet to sensitive data for threat actors.
The MOVEit scenario is a little different from what many developers and AppSec professionals may have previously experienced, and you can test your SQLi-slaying skills in a live simulation right here:
>>> PLAY THE MOVEit MISSION
The vulnerability: SQL injection
How exactly was SQL injection used to exploit Progress Software’s MOVEit file transfer application?
CL0P ransomware group was able to exploit SQL injection vulnerability CVE-2023-34362, granting them unrestricted and unauthorized access to MOVEit’s database. From there, they were able to install LEMURLOOT, a web shell that would ultimately allow them to run several high-risk, critical processes like retrieval of system settings, enumerating the SQL database, file retrieval from the MOVEit Transfer system, and creating a new account with full administration privileges.
Needless to say, this attack vector may be the result of a relatively simple error - one that could be put down to the perpetual use of poor coding patterns - but its potential to cause ongoing problems at the enterprise level is immense.
Comparable to the MOVEit exploit, let’s take a look at this SQLi explainer, which simulates the method of injecting and executing malicious SQL:
This query string and variable:
string emailAddress = "contact@scw.com";
var query = $"SELECT u.UserName From Users as u WHERE u.Email = '{emailAddress}'";
will result in the following query:
var query = $"SELECT u.UserName From Users as u WHERE u.Email = 'contact@scw.com'";
… and with malicious crafted input:
string emailAddress = "contact@scw.com'; DELETE FROM Invoices WHERE Id = 2;--";
var query = $"SELECT u.UserName From Users as u WHERE u.Email = '{emailAddress}'";
it will become:
var query = $"SELECT u.UserName From Users as u WHERE u.Email = 'contact@scw.com'; DELETE FROM Invoices WHERE Id = 2;--'";
How does that look in flight?
Note that due to the string concatenation, the input is being interpreted as SQL syntax. First, a single quote is added to make sure the SELECT statement is valid SQL syntax. Next, a semicolon is added in order to terminate the first statement.
Once this is in place, a valid DELETE statement is added, followed by two hyphens to comment out any trailing characters (the single quote). An UPDATE statement could just as easily be added, for example, if the malicious SQL was to update users' roles or passwords.
Try it out for yourself in this playable mission:
While relatively straightforward, SQLi remains a powerful attack vector, and one that is all too common. In the case of MOVEit, this exploit made way for a damaging backdoor installation, and a group of further attacks of similar severity.
How can you mitigate SQL injection risk?
For any companies utilizing MOVEit as part of their business operations, it is imperative that they follow the recommended remediation advice from Progress Software. This includes but is not limited to applying security patches as an emergency-level priority.
For SQL injection in general, check out our comprehensive guide.
Want to learn more about how to write secure code and mitigate risk? Try out our SQL injection challenge for free.
If you’re interested in getting more free coding guidelines, check out Secure Code Coach to help you stay on top of secure coding best practices.
Software supply chain cyberattacks are becoming increasingly common, sparking a flurry of legislative changes at the US government level, while enterprises scramble to mitigate their expansive risk profile and rapidly improve software quality. There have been three zero-day vulnerabilities linked to file-sharing services this year alone, with the largest and most destructive coming in the form of the MOVEit mass exploit.
Spearheaded by the CL0P ransomware group, the MOVEit incident has dominated cybersecurity news for some time, with more than 1,000 organizations impacted. This number is set to keep growing, rendering this one of the most potent software supply chain attacks since Solarwinds in 2021.
The catalyst for this widespread breach was a cluster of SQL injection vulnerabilities, ultimately receiving a severity score of 9.8 out of 10 from MITRE. SQL injection has been the bugbear of security professionals since the late 90s, and despite being a fairly straightforward fix, it continues to find its way into modern software and provide a red carpet to sensitive data for threat actors.
The MOVEit scenario is a little different from what many developers and AppSec professionals may have previously experienced, and you can test your SQLi-slaying skills in a live simulation right here:
>>> PLAY THE MOVEit MISSION
The vulnerability: SQL injection
How exactly was SQL injection used to exploit Progress Software’s MOVEit file transfer application?
CL0P ransomware group was able to exploit SQL injection vulnerability CVE-2023-34362, granting them unrestricted and unauthorized access to MOVEit’s database. From there, they were able to install LEMURLOOT, a web shell that would ultimately allow them to run several high-risk, critical processes like retrieval of system settings, enumerating the SQL database, file retrieval from the MOVEit Transfer system, and creating a new account with full administration privileges.
Needless to say, this attack vector may be the result of a relatively simple error - one that could be put down to the perpetual use of poor coding patterns - but its potential to cause ongoing problems at the enterprise level is immense.
Comparable to the MOVEit exploit, let’s take a look at this SQLi explainer, which simulates the method of injecting and executing malicious SQL:
This query string and variable:
string emailAddress = "contact@scw.com";
var query = $"SELECT u.UserName From Users as u WHERE u.Email = '{emailAddress}'";
will result in the following query:
var query = $"SELECT u.UserName From Users as u WHERE u.Email = 'contact@scw.com'";
… and with malicious crafted input:
string emailAddress = "contact@scw.com'; DELETE FROM Invoices WHERE Id = 2;--";
var query = $"SELECT u.UserName From Users as u WHERE u.Email = '{emailAddress}'";
it will become:
var query = $"SELECT u.UserName From Users as u WHERE u.Email = 'contact@scw.com'; DELETE FROM Invoices WHERE Id = 2;--'";
How does that look in flight?
Note that due to the string concatenation, the input is being interpreted as SQL syntax. First, a single quote is added to make sure the SELECT statement is valid SQL syntax. Next, a semicolon is added in order to terminate the first statement.
Once this is in place, a valid DELETE statement is added, followed by two hyphens to comment out any trailing characters (the single quote). An UPDATE statement could just as easily be added, for example, if the malicious SQL was to update users' roles or passwords.
Try it out for yourself in this playable mission:
While relatively straightforward, SQLi remains a powerful attack vector, and one that is all too common. In the case of MOVEit, this exploit made way for a damaging backdoor installation, and a group of further attacks of similar severity.
How can you mitigate SQL injection risk?
For any companies utilizing MOVEit as part of their business operations, it is imperative that they follow the recommended remediation advice from Progress Software. This includes but is not limited to applying security patches as an emergency-level priority.
For SQL injection in general, check out our comprehensive guide.
Want to learn more about how to write secure code and mitigate risk? Try out our SQL injection challenge for free.
If you’re interested in getting more free coding guidelines, check out Secure Code Coach to help you stay on top of secure coding best practices.
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demo
Laura Verheyde is a software developer at Secure Code Warrior focused on researching vulnerabilities and creating content for Missions and Coding labs.
Software supply chain cyberattacks are becoming increasingly common, sparking a flurry of legislative changes at the US government level, while enterprises scramble to mitigate their expansive risk profile and rapidly improve software quality. There have been three zero-day vulnerabilities linked to file-sharing services this year alone, with the largest and most destructive coming in the form of the MOVEit mass exploit.
Spearheaded by the CL0P ransomware group, the MOVEit incident has dominated cybersecurity news for some time, with more than 1,000 organizations impacted. This number is set to keep growing, rendering this one of the most potent software supply chain attacks since Solarwinds in 2021.
The catalyst for this widespread breach was a cluster of SQL injection vulnerabilities, ultimately receiving a severity score of 9.8 out of 10 from MITRE. SQL injection has been the bugbear of security professionals since the late 90s, and despite being a fairly straightforward fix, it continues to find its way into modern software and provide a red carpet to sensitive data for threat actors.
The MOVEit scenario is a little different from what many developers and AppSec professionals may have previously experienced, and you can test your SQLi-slaying skills in a live simulation right here:
>>> PLAY THE MOVEit MISSION
The vulnerability: SQL injection
How exactly was SQL injection used to exploit Progress Software’s MOVEit file transfer application?
CL0P ransomware group was able to exploit SQL injection vulnerability CVE-2023-34362, granting them unrestricted and unauthorized access to MOVEit’s database. From there, they were able to install LEMURLOOT, a web shell that would ultimately allow them to run several high-risk, critical processes like retrieval of system settings, enumerating the SQL database, file retrieval from the MOVEit Transfer system, and creating a new account with full administration privileges.
Needless to say, this attack vector may be the result of a relatively simple error - one that could be put down to the perpetual use of poor coding patterns - but its potential to cause ongoing problems at the enterprise level is immense.
Comparable to the MOVEit exploit, let’s take a look at this SQLi explainer, which simulates the method of injecting and executing malicious SQL:
This query string and variable:
string emailAddress = "contact@scw.com";
var query = $"SELECT u.UserName From Users as u WHERE u.Email = '{emailAddress}'";
will result in the following query:
var query = $"SELECT u.UserName From Users as u WHERE u.Email = 'contact@scw.com'";
… and with malicious crafted input:
string emailAddress = "contact@scw.com'; DELETE FROM Invoices WHERE Id = 2;--";
var query = $"SELECT u.UserName From Users as u WHERE u.Email = '{emailAddress}'";
it will become:
var query = $"SELECT u.UserName From Users as u WHERE u.Email = 'contact@scw.com'; DELETE FROM Invoices WHERE Id = 2;--'";
How does that look in flight?
Note that due to the string concatenation, the input is being interpreted as SQL syntax. First, a single quote is added to make sure the SELECT statement is valid SQL syntax. Next, a semicolon is added in order to terminate the first statement.
Once this is in place, a valid DELETE statement is added, followed by two hyphens to comment out any trailing characters (the single quote). An UPDATE statement could just as easily be added, for example, if the malicious SQL was to update users' roles or passwords.
Try it out for yourself in this playable mission:
While relatively straightforward, SQLi remains a powerful attack vector, and one that is all too common. In the case of MOVEit, this exploit made way for a damaging backdoor installation, and a group of further attacks of similar severity.
How can you mitigate SQL injection risk?
For any companies utilizing MOVEit as part of their business operations, it is imperative that they follow the recommended remediation advice from Progress Software. This includes but is not limited to applying security patches as an emergency-level priority.
For SQL injection in general, check out our comprehensive guide.
Want to learn more about how to write secure code and mitigate risk? Try out our SQL injection challenge for free.
If you’re interested in getting more free coding guidelines, check out Secure Code Coach to help you stay on top of secure coding best practices.
Table of contents
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
The Power of OpenText Application Security + Secure Code Warrior
OpenText Application Security and Secure Code Warrior combine vulnerability detection with AI Software Governance and developer capability. Together, they help organizations reduce risk, strengthen secure coding practices, and confidently adopt AI-driven development.
Secure Code Warrior corporate overview
Secure Code Warrior is an AI Software Governance platform designed to enable organizations to safely adopt AI-driven development by bridging the gap between development velocity and enterprise security. The platform addresses the "Visibility Gap," where security teams often lack insights into shadow AI coding tools and the origins of production code.
Secure code training topics & content
Our industry-leading content is always evolving to fit the ever changing software development landscape with your role in mind. Topics covering everything from AI to XQuery Injection, offered for a variety of roles from Architects and Engineers to Product Managers and QA. Get a sneak peek of what our content catalog has to offer by topic and role.
Cyber Resilience Act (CRA) Aligned Learning Pathways
SCW supports Cyber Resilience Act (CRA) readiness with CRA-aligned Quests and conceptual learning collections that help development teams build the Secure by Design, SDLC, and secure coding skills aligned with the CRA’s secure development principles.
Resources to get you started
Observe and Secure the ADLC: A Four-Point Framework for CISOs and Development Teams Using AI
While development teams look to make the most of GenAI’s undeniable benefits, we’d like to propose a four-point foundational framework that will allow security leaders to deploy AI coding tools and agents with a higher, more relevant standard of security best practices. It details exactly what enterprises can do to ensure safe, secure code development right now, and as agentic AI becomes an even bigger factor in the future.
