MOVEit Transfer Vulnerability Exploited Again by Cl0p Ransomware
A new critical SQL injection vulnerability in MOVEit Transfer is being exploited by the Cl0p ransomware group, echoing the devastating 2023 campaign that compromised thousands of organizations worldwide.
CVE References
Affected
What happened: Progress Software disclosed a critical SQL injection vulnerability in MOVEit Transfer, and threat intelligence firms quickly confirmed active exploitation by the Cl0p (TA505) ransomware group. The attack mirrors the group's devastating 2023 MOVEit campaign that compromised over 2,500 organizations and exposed data belonging to tens of millions of individuals. Cl0p appears to be using automated mass exploitation tools to exfiltrate data from vulnerable instances before organizations can patch.
Technical details: CVE-2025-34362 is a SQL injection vulnerability in the MOVEit Transfer web application that allows an unauthenticated attacker to access and manipulate the underlying database. Exploitation can lead to data exfiltration, creation of rogue administrative accounts, and in some configurations, operating system command execution. Mandiant observed attackers using the vulnerability to deploy a custom web shell for persistent access and automated data exfiltration scripts targeting files uploaded through MOVEit workflows. The attack pattern suggests pre-positioned reconnaissance and automated tooling.
Who is affected: Organizations running MOVEit Transfer on-premises for managed file transfer workflows. MOVEit is widely used in healthcare, financial services, government, and legal sectors for secure file exchange containing sensitive data. Many organizations that patched after the 2023 campaign may have been lulled into complacency, and the new vulnerability exists in code separate from the previously patched components.
What defenders should do: Patch MOVEit Transfer immediately to the latest version. Take MOVEit instances offline if patching cannot be done within hours. Check for web shells, unauthorized accounts, and unusual database queries in MOVEit logs. Monitor outbound data flows from MOVEit servers for large or unexpected transfers. Engage incident response if any indicators of compromise are found, as Cl0p typically has a short window between exploitation and public data leak.
Broader implications: The return of Cl0p to target MOVEit Transfer demonstrates that threat actors will repeatedly target high-value software categories where they have developed expertise. Managed file transfer platforms remain attractive targets because they inherently handle sensitive data. Organizations should consider architectural changes such as network segmentation and data loss prevention controls around file transfer infrastructure, rather than relying solely on vendor patches.
Sources