HC3 TLP Clear Sector Alert: Critical MOVEit Transfer Software Vulnerability

June 2, 2023

Healthcare Sector Potentially at Risk from Critical Vulnerability in MOVEit Transfer Software

Executive Summary

On May 31, 2023, a Progress Software (formerly IPSwitch) published a notification disclosing that a critical vulnerability exists in their MOVEit Transfer software, which could result in unauthorized access and privilege escalation. The vulnerability is a SQL injection flaw that allows for escalated privileges and potential unauthorized access. As of May 31, 2023, the vulnerability does not have a CVE. File transfer solutions are frequently targeted by multiple threat actors, including ransomware groups. Progress Software has yet to report any attempts of extortion due to exposure to the vulnerability, nor is there any attribution to any specific threat actors. However, the exploitation is very similar to the January 2023 mass exploitation of a GoAnywhere MFT zero-day and the December 2020 zero-day exploitation of Accellion FTA servers. Both of these products are managed on file transfer platforms that were heavily exploited by the Clop ransomware gang to steal data and extort organizations.

Impact to HPH Sector

The software is used by multiple organizations in the HPH sector, including hospitals, clinics, and health insurance groups. Sensitive information such as medical records, bank records, social security numbers, and addresses are at risk if this vulnerability is leveraged. The targeted organization could be subject to extortion by finanicially motivated threat groups. HC3 recommends that any HPH organization that currently utilizes MOVEit take immediate action, as noted below in the Mitigations section, while the software company produces a patch.


On May 31, 2023, Progress Software released a security advisory warning customers of a critical vulnerability in MOVEit Transfer software, offering mitigations until patches are installed. The MOVEit Transfer flaw is a SQL injection vulnerability that leads to remote code execution and does not currently have a CVE assigned to it. It is reported that there are 2,500 exposed MOVEit Transfer servers, with the majority located in the U.S., and that the same webshell was found on all exploited devices.

MOVEit Transfer is a leading secure managed file transfer application for collaboration and automated file transfers of sensitive data. It boasts file encryption, security, tamper-evident logging, activity tracking, and centralized access, and helps companies comply with service-level agreements (SLAs), internal governance requirements and regulations like Health Insurance Portability and Accountability Act (HIPAA). Available as a managed service, in the cloud, or on-premise solution, MOVEit consolidates all file transfer activities into one scalable system. Any user can access MOVEit via web, Mac and Windows Desktop clients, or a free mobile app.

According to the software company, hundreds of healthcare organizations, including those in the United States, utilize MOVEit products to deliver scalable, secure, and compliant patient care and business services. These services include healthcare billing, insurance-eligibility inquiries, healthcare claims, detailed audit logs, appointment reminders, patient surveys, and patient retrieval of medical records. The company states that its MOVEit software is the only system to be Federal Information Processing Standard (FIPS) 140-2 certified (the benchmark for validating the effectiveness of cryptographic hardware) by the National Institute of Standards and Technology (NIST). Due to its wide footprint, exploitation of this vulnerability can greatly impact the HPH sector.

View the detailed report below.

For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:

John Riggi

National Advisor for Cybersecurity and Risk, AHA


(O) +1 202 626 2272