MOVEit Mass Exploitation Campaign: The Industrialization of Zero-Day Theft

In late May 2023, the Cl0p ransomware group exploited a zero-day SQL injection vulnerability in MOVEit Transfer (CVE-2023-34362) to exfiltrate data from more than 2,700 organizations and expose personal information belonging to more than 90 million individuals.

Threat IntelligenceVSDVulnerabilityDPSDataTIDThreatRGARiskIntermediateCONFIDENTIAL2,598 words11 min readApr 7, 2026

Last updated Apr 11, 2026

CLASSIFICATION: CONFIDENTIAL

This article requires CONFIDENTIAL clearance or higher.

What you need

Create a free Nexus ID to access CDA proprietary content including PDM domain explainers, methodology deep-dives, and reconnaissance mission briefings.

Create Nexus ID (Free)

Also at this clearance level

Threat IntelligenceTIDThreatIntermediate

Table of Contents

MOVEit Mass Exploitation Campaign: The Industrialization of Zero-Day Theft

What you need

Also at this clearance level

APT28 (Fancy Bear / Forest Blizzard)

Lazarus Group (HIDDEN COBRA / Diamond Sleet)

Salt Typhoon

Single Sign-On (SSO) Architecture

The Academy

The Command Post

The Armory