CVE-MOVEITInitial Access

MOVEit Transfer SQLi → Deserialisation (CVE-2023-34362)

Pre-auth SQLi in MOVEit's web UI → forge admin session → .NET deserialisation chain → SYSTEM webshell. The Cl0p mass-exfil event of 2023.

§ Where this technique fits

CVE-MOVEIT is catalogued under the Initial Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 2 on average.

§ Dossiers chaining this technique

MOVEit Transfer (CVE-2023-34362) → mass data exfil (Cl0p)
Pre-auth SQLi in MOVEit's web UI forges an admin session. .NET deserialisation chain drops a webshell as SYSTEM. Cl0p's 2023 mass-exfil playbook: download every file under /var/files.
step 2 / 6

§ What commonly comes next

01
Deserialization — .NET BinaryFormatter / JSON.NET
W-DESER-NET · Execution
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

MOVEit Transfer (CVE-2023-34362) → mass data exfil (Cl0p)

§ What commonly comes next