Our website uses cookies to give you the most optimal experience online by: measuring our audience, understanding how our webpages are viewed and improving consequently the way our website works, providing you with relevant and personalized marketing content.
You have full control over what you want to activate. You can accept the cookies by clicking on the “Accept all cookies” button or customize your choices by selecting the cookies you want to activate. You can also decline all non-necessary cookies by clicking on the “Decline all cookies” button. Please find more information on our use of cookies and how to withdraw at any time your consent on our privacy policy.

Managing your cookies

Our website uses cookies. You have full control over what you want to activate. You can accept the cookies by clicking on the “Accept all cookies” button or customize your choices by selecting the cookies you want to activate. You can also decline all non-necessary cookies by clicking on the “Decline all cookies” button.

Necessary cookies

These are essential for the user navigation and allow to give access to certain functionalities such as secured zones accesses. Without these cookies, it won’t be possible to provide the service.
Matomo on premise

Marketing cookies

These cookies are used to deliver advertisements more relevant for you, limit the number of times you see an advertisement; help measure the effectiveness of the advertising campaign; and understand people’s behavior after they view an advertisement.
Adobe Privacy policy | Marketo Privacy Policy | MRP Privacy Policy | AccountInsight Privacy Policy | Triblio Privacy Policy

Social media cookies

These cookies are used to measure the effectiveness of social media campaigns.
LinkedIn Policy

Our website uses cookies to give you the most optimal experience online by: measuring our audience, understanding how our webpages are viewed and improving consequently the way our website works, providing you with relevant and personalized marketing content. You can also decline all non-necessary cookies by clicking on the “Decline all cookies” button. Please find more information on our use of cookies and how to withdraw at any time your consent on our privacy policy.

Skip to main content

Detailed analysis of the Zero- Day vulnerability in MOVEit transfer

Key Takeaways

  • •A common feature among all exploited devices is a webshell named ‘human2.aspx’ located in the ‘C:\MOVEitTransfer\wwwroot’ public HTML folder. Multiple IP addresses have been associated with the attacks, and the attacks reportedly started on May 27th.
  • The exploitation method strongly resembles the mass exploitations of GoAnywhere MFT and Accellion FTA servers in January 2023 and December 2020 respectively. These previous incidents were linked to the Clop ransomware gang, who exploited managed file transfer platforms for data theft and extortion.
  • The threat actor Lace Tempest has been officially linked to the exploitation of a critical flaw in Progress Software’s MOVEit Transfer application. Their apparent collaboration with the cl0p ransomware group, as evidenced by ransom notes found on compromised hosts, reinforces the urgent need for users to promptly apply security patches. The PoC exploit code for MOVEit Transfer was released by Horizon3 company.
  • On June 15th, a third vulnerability (CVE-2023-35708) in Progress Software’s MOVEit Transfer was found. This vulnerability could allow users to gain elevated rights and potentially unapproved access to the environment. The vulnerability’s specific characteristics that enable worming are unknown. In addition, no evidence of an exploit of the vulnerability has been found by researchers.



  • Immediate measures include blocking external traffic to ports 80 and 443, inspecting the MOVEit Transfer folder for unexpected files, and conducting thorough forensic examinations for any signs of compromise. Organizations are urged to prepare for potential extortion and public disclosure of stolen A patch is expected to be released by Progress Software Corporation to address the vulnerability and should be applied promptly upon its release.
  • Search for the subsequent potential indications of unauthorized intrusion over the past 30 days e., at least emergence of unexpected files in the c:\MOVEitTransfer\wwwroot\ directory across all your MOVEit Transfer instances (back-ups included), unanticipated and/or extensive file downloads.
  • The patch is already published by a vendor.

This vulnerability needs emergency patching.


In layman’s terms, we’ve been investigating a serious cybersecurity issue with a popular software called MOVEit Transfer. This software has a security flaw, known as a ‘zero-day vulnerability’, which is currently being exploited by hackers to steal data from many organizations. The exact identity of these threat actors is unknown as no extortion attempts have been made so far. The nature of these cyberattacks closely resembles previous large-scale attacks in 2020 and 2023 on similar types of software. These past incidents were attributed to a criminal group known as the Clop ransomware gang.

A new vulnerability affecting Progress Software’s MOVEit Transfer application was disclosed on June 15th as the Cl0p cybercrime outfit used extortion against the affected businesses.


Technical Details

Around 2,500 exposed MOVEit servers, mainly in the US, are at risk. A common feature found across all exploited devices is a webshell named ‘human2.asp’, located in the ‘c:\MOVEit Transfer\wwwroot’ public HTML folder. This webshell first checks if the inbound request contains a specific password-like value in the ‘X-siLock-Comment’ header, returning a 404 “Not Found” error if the header isn’t correctly populated.

Once accessed with the correct password, the webshell executes commands based on the values of the ‘X-siLock-Step1’, ‘X-siLock-Step1’, and ‘X-siLock-Step3’ request headers. This enables the threat actor to interact with MOVEit’s MySQL server and perform various actions, including retrieving file details, manipulating user entries, acquiring Azure Blob Storage account configuration, and downloading files.

Randomly named ‘App_Web_<random>.dll’ files, such as ‘App_Web_feevjhtu.dll’, have also been reported in the aftermath of breaches, in addition to the typical presence of one such file. The vulnerability can be found as CVE-2023-34362.

A new vulnerability, designated CVE-2023-35708, also relates to a SQL injection flaw that could result in elevated privileges and potential unauthorised access to the environment. A SQL injection vulnerability has been found in the MOVEit Transfer online application, which might let an unauthenticated attacker access the MOVEit Transfer database without authorization.
An attacker could modify and reveal the content of the MOVEit database by sending a specially crafted payload to a MOVEit Transfer application endpoint. However, researchers have not come across any proof that the vulnerability has been exploited.


Affected Products

  • MOVEit Transfer 2023.0.0
  • MOVEit Transfer 1.x
  • MOVEit Transfer 2022.0.x
  • MOVEit Transfer 1.x
  • MOVEit Transfer 2021.0.x
  • MOVEit Transfer 2023.0.1, 2023.0.2 (15.0.1, 15.0.2)
  • MOVEit Transfer 2022.1.5, 2022.1.6 (14.1.5, 14.1.6)
  • MOVEit Transfer 2022.0.4, 2022.0.5 (14.0.4, 14.0.5)
  • MOVEit Transfer 2021.1.4, 2021.1.5 (13.1.4, 13.1.5)
  • MOVEit Transfer 2021.0.6, 2021.0.7 (13.0.6, 13.0.7)
  • MOVEit Transfer 2020.1.6 (12.1.6) or later
  • MOVEit Transfer 2020.0.x (12.0) or older


Available Vendor Patches

Progress Software Corporation already published the patch. The files are accessible at below link:


Available Mitigations

Step 1: Suspend all HTTP and HTTPS activity directed to your MOVEit Transfer environment till patch is released.

More precisely:

  • Adjust firewall rules to refuse HTTP and HTTPS traffic to MOVEit Transfer on ports 80 and
  • Keep in mind, until HTTP and HTTPS traffic is reinstated:
    • Users will be incapable of signing in to the MOVEit Transfer web UI
    • MOVEit Automation tasks that use the native MOVEit Transfer host will become inactive
    • REST, Java and .NET APIs will be non-operational
    • The MOVEit Transfer plugin for Outlook will cease to work
    • However, SFTP and FTP/s protocols will continue functioning normally Administrators will retain access to MOVEit Transfer by utilizing a remote desktop connection to the Windows device and then navigating to https://localhost/.


Step 2: Inspect, Remove and Reset

2.1 Delete Unauthorized Files and USer Profiles

  • Search for and remove any instances of the ‘human2.aspx’ and ‘cmdline’ script files;
  • Check the ‘C:\MOVEitTransfer\wwwroot’ directory on the MOVEit Transfer server for any newly created files;
  • Search for new files created in the ‘C:\Windows\TEMP[random]’ directory with a ‘.cmdline’ file extension on the MOVEit Transfer server;
  • Remove any unauthorized user profiles;
  • Investigate logs for unanticipated file downloads from unrecognized IPs or a large quantity of files downloaded.

2.2 Reset Passwords

  • Reset the service account passwords for affected systems as well as the MOVEit Service Account.

Use the IoC’s below to check for potential signs of compromise in the environment.


Step 3: Apply the Patch

This vulnerability needs emergency patching.


The critical flaw in Progress Software’s MOVEit Transfer application is officially attributed to Lace Tempest, a threat actor tracked by Microsoft. Following exploitation, the threat actor typically deploys a web shell capable of data exfiltration.
Lace Tempest, alternatively known as Storm-0950, has affiliations with other notable groups, such as FIN11, TA505, and Evil Corp, and operates the Cl0p extortion site. The group’s past actions demonstrate a consistent pattern of exploiting zero-day vulnerabilities, including a recent severe bug in PaperCut servers, to steal data and extort victims.
Activity related to this threat actor is also tracked by Google-owned Mandiant under the label UNC4857, with the web shell identified as LEMURLOOT, and noted broad tactical connections with FIN11.
Public sources indicate collaboration between the threat actor, Lace Tempest, and the cl0p ransomware group. Evidence for this collaboration is based on ransom notes found on compromised hosts, which unambiguously link to the cl0p group.

Indicators of compromise

The standard path to detect this software is C:\MOVEitTransfer\webroot and the presence of the moveitisapi.dll library.

File path:


(?i)\\MOVEit Transfer\\wwwroot\\[^\\]{1,40}\.(zip|rar|7z|exe|ps1|bat);70 (regex)


Folder path:


(Script that is executed to create the human2.aspx file. The folder path and filename are randomized.)


POST requests:

POST /moveitisapi/moveitisapi.dll

POST /guestaccess.aspx

POST /api/v1/folders/[random]/files


User account creation:

Health Check Service

(“Webshell creates a MOVEit Transfer user account session with the display name ‘Health Check Service’.”)


IP Addresses:


IP Addresses related with high confidence to Mass Scanners:

Side note:
The following addresses have been identified as instances of the mass scanner zGrab, which has a high probability of being treated as a False Positive. During various DFIR (Digital Forensics and Incident Response) actions, it may have been incorrectly assigned as an IoC directly related to the campaign, as its full-scale internet scanning makes it highly active in logs.

SHA256 Hashes (related to ‘human2.aspx’ filename on VirusTotal):

5b566de1aa4b2f79f579cdac6283b33e98fdc8c1cfa6211a787f8156848d67ff 0ea05169d111415903a1098110c34cdbbd390c23016cd4e179dd9ef507104495
9d1723777de67bc7e11678db800d2a32de3bcd6c40a629cd165e3f7bbace8ead 9e89d9f045664996067a05610ea2b0ad4f7f502f73d84321fb07861348fdc24a
d49cf23d83b2743c573ba383bf6f3c28da41ac5f745cde41ef8cd1344528c195 b1c299a9fe6076f370178de7b808f36135df16c4e438ef6453a39565ff2ec272 6015fed13c5510bbb89b0a5302c8b95a5b811982ff6de9930725c4630ec4011d 48367d94ccb4411f15d7ef9c455c92125f3ad812f2363c4d2e949ce1b615429a 2413b5d0750c23b07999ec33a5b4930be224b661aaf290a0118db803f31acbc5 e8012a15b6f6b404a33f293205b602ece486d01337b8b3ec331cd99ccadb562e


SHA256 Hashes (‘human2.aspx’ webshell used during exploitation as per vendor):


Sigma rule for File Creation detection: https://github.com/SigmaHQ/sigma/pull/4281/files#diff- 57f376f5bc911cab912a22bf4e18faf321a8608d9ce72da7e121a8ed48238d21



Proof of Concept

Security researchers from Horizon3 released PoC for exploitation of MOVEit Transfer (CVE-2023-34362) – https://github.com/horizon3ai/CVE-2023-34362. The company (Horizone3) summarizes its publication as follows: “This POC abuses an SQL injection to obtain a sysadmin API access token and then use that access to abuse a deserialization call to obtain remote code execution. This POC needs to reach out to an Identity Provider endpoint which hosts proper RS256 certificates used to forge arbitrary user tokens – by default this POC uses our IDP endpoint hosted in AWS. By default, the exploit will write a file to C:\Windows\Temp\message.txt. Alternative payloads can be generated by using the
ysoserial.net project.”
It is important to note that publicly available PoC can motivate other threat actors to launch their own campaigns and hence increase the number of attacks.





https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited- in-data-theft-attacks/



https://github.com/horizon3ai/CVE-2023-34362 https://nvd.nist.gov/vuln/detail/CVE-2023-34362



List of changes

Version Date Description
1.0 2023-06-01 Initial Version
2.0 2023-06-02 Updated Version
3.0 2023-06-07 Updated Version
4.0 2023-06-14 Updated Version
5.0 2023-06-19 Updated Version


Glossary of terms

POC Proof of Concept
TI Threat Intelligence
TLP Traffic Light Protocol
Workarounds Refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update.

Share this article

Follow us on