Skip to main content

CVE-2023-34362 - MOVEit Transfer SQL Injection

Download With Dependencies

This pack handles MOVEit Transfer SQL Injection CVE-2023-34362 vulnerability

This pack is part of the Rapid Breach Response pack.

CVE-2023-34362 - Critical SQL Injection vulnerability in MOVEit Transfer.


A critical vulnerability has been identified in MOVEit Transfer, a managed file transfer solution. The vulnerability affects versions prior to the latest release and involves improper input validation. Exploiting this vulnerability can lead to remote execution of arbitrary code, potentially resulting in unauthorized access and compromise of sensitive data.

To mitigate the risk associated with this vulnerability, it is crucial for users to update to the latest version of MOVEit Transfer that includes necessary security patches.

The playbook includes the following tasks:

IoCs Collection

  • Blog IoCs download
  • Yara Rules download
  • Sigma rules download


  • Cortex XDR XQL exploitation patterns hunting
  • Cortex Xpanse external facing instances hunting
  • Advanced SIEM exploitation patterns hunting
  • Indicators hunting

The hunting queries are searching for the following activities:

  • ASPX file creation by w3wp.exe
  • IIS compiling binaries via the csc.exe on behalf of the MOVEit
  • Detects get requests to specific exploitation related files


  • Progress official CVE-2023-34362 patch
  • Progress mitigation measures
  • Detection Rules
    • Yara
    • Sigma


MOVEit Transfer Critical Vulnerability (May 2023)

MOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response




Cortex XSOARCortex XSIAM


CertificationRead more
Supported ByCortex
CreatedJune 5, 2023
Last ReleaseJune 8, 2023

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.