What happened
In mid-2023 attackers began exploiting a previously unknown SQL-injection flaw in MOVEit Transfer, a tool companies use to move sensitive files between each other. Because so many organizations ran it, one flaw cascaded into thousands of breaches.
This was a zero-day, so there was no patch when the attacks started. Defenders found out because data was already leaving.
How injection became data theft
SQL injection happens when user input is mixed into a database query instead of being kept separate from it. Send the right input and you stop describing data and start writing the query yourself.
In MOVEit, that meant reaching into the database the tool used to track transfers, then reading the files and details it held. The application happily ran the attacker's queries.
Why one vendor flaw hit thousands
File-transfer tools sit at the seam between organizations, holding exactly the data worth stealing. Compromise the tool and you compromise everyone who trusted it.
The MOVEit wave showed how a single flaw in shared infrastructure becomes a supply-chain event, even when the bug itself is an old, well-understood class.
How it unfolded
- May 2023Attackers begin mass exploitation of the unknown flaw.
- May 31, 2023The vendor discloses the vulnerability and ships an emergency patch.
- Summer 2023A long run of organizations disclose breaches traced back to MOVEit.
Where buggy.run fitsInjection is found the same way attackers find it: by sending crafted inputs and reading how the responses change.
buggy.run discovers your inputs, fuzzes them, and watches the responses for the tells of a query gone wrong, instead of assuming your parameters are safe.
What to take away
- Use parameterized queries everywhere. Never build SQL by string concatenation.
- Patch edge tools like file transfer and VPNs fast. They are prime targets.
- Segment sensitive data so one app's database is not a master key.
- Assume your vendors can ship a zero-day, and watch for data leaving.

