SQL injectionCVE-2023-343622023 6 min read

What was MOVEit Transfer?

A SQL-injection zero-day in MOVEit Transfer let attackers query the database directly and pull files straight out. One flaw in one file-transfer tool turned into thousands of organizations breached at once.

1
zero-day in a single product
2,000+
organizations hit
60M+
individuals affected downstream
Files
read directly from the database

What happened

In mid-2023 attackers began exploiting a previously unknown SQL-injection flaw in MOVEit Transfer, a tool companies use to move sensitive files between each other. Because so many organizations ran it, one flaw cascaded into thousands of breaches.

This was a zero-day, so there was no patch when the attacks started. Defenders found out because data was already leaving.

How injection became data theft

SQL injection happens when user input is mixed into a database query instead of being kept separate from it. Send the right input and you stop describing data and start writing the query yourself.

In MOVEit, that meant reaching into the database the tool used to track transfers, then reading the files and details it held. The application happily ran the attacker's queries.

Why one vendor flaw hit thousands

File-transfer tools sit at the seam between organizations, holding exactly the data worth stealing. Compromise the tool and you compromise everyone who trusted it.

The MOVEit wave showed how a single flaw in shared infrastructure becomes a supply-chain event, even when the bug itself is an old, well-understood class.

How it unfolded

  1. May 2023
    Attackers begin mass exploitation of the unknown flaw.
  2. May 31, 2023
    The vendor discloses the vulnerability and ships an emergency patch.
  3. Summer 2023
    A long run of organizations disclose breaches traced back to MOVEit.
Where buggy.run fits

Injection is found the same way attackers find it: by sending crafted inputs and reading how the responses change.

buggy.run discovers your inputs, fuzzes them, and watches the responses for the tells of a query gone wrong, instead of assuming your parameters are safe.

What to take away

  • Use parameterized queries everywhere. Never build SQL by string concatenation.
  • Patch edge tools like file transfer and VPNs fast. They are prime targets.
  • Segment sensitive data so one app's database is not a master key.
  • Assume your vendors can ship a zero-day, and watch for data leaving.

Find your unnoticed bug before someone else does.

buggy.run signs in, captures your real traffic, and hunts the quiet flaws that scanners miss. You get every finding in plain English with the fix.