Full Report
Threat intelligence firm GreyNoise is warning of a "notable surge" in scanning activity targeting Progress MOVEit Transfer systems starting May 27, 2025—suggesting that attackers may be preparing for another mass exploitation campaign or probing for unpatched systems.MOVEit Transfer is a popular managed file transfer solution used by businesses and government agencies to share sensitive data
Analysis Summary
# Vulnerability: Heightened Scanning Activity Targeting Known MOVEit Transfer Flaws
## CVE Details
- CVE ID:
- CVE-2023-34362
- CVE-2023-36934
- CVSS Score: Not specified in the text for these CVEs.
- CWE: Not specified in the text.
## Affected Systems
- Products: Progress MOVEit Transfer (Managed File Transfer solution)
- Versions: Affected versions are implied to be those vulnerable to the referenced CVEs prior to patching. (Specific vulnerable versions not detailed in this summary text).
- Configurations: Systems exposed publicly over the internet.
## Vulnerability Description
The article highlights a significant surge in scanning activity targeting Progress MOVEit Transfer instances starting May 27, 2025. This scanning appears to be focused on weaponizing two previously disclosed vulnerabilities: CVE-2023-34362 (a flaw notably exploited by Cl0p ransomware actors) and CVE-2023-36934 (described as an unauthenticated SQLi vulnerability). The scanning is preparatory, suggesting threat actors are probing for unpatched systems before a potential mass exploitation campaign.
## Exploitation
- Status: Low-volume exploitation attempts detected on June 12, 2025, targeting the two known flawed CVEs. The surge in scanning suggests preparation for wider exploitation.
- Complexity: For the referenced CVEs (especially if related to SQLi), exploitation complexity is generally low to medium.
- Attack Vector: Network (Remote exploitation against exposed instances).
## Impact
- Confidentiality: High (MOVEit Transfer handles sensitive data).
- Integrity: High (Successful exploitation of related SQLi flaws often allows data manipulation).
- Availability: Potential risk if exploited services are disrupted or taken offline by attackers.
## Remediation
### Patches
- Users must ensure their **Progress MOVEit Transfer** software is up-to-date with the latest released patches that address **CVE-2023-34362** and **CVE-2023-36934**. (Specific patch versions are not listed in the source text).
### Workarounds
- **Block offending IP addresses**: Block the suspicious and malicious IP addresses identified by threat intelligence firms.
- **Avoid public exposure**: Ensure MOVEit Transfer instances are *not* publicly exposed over the internet where possible.
## Detection
- **Indicators of Compromise (IoCs)**: A high volume of scanning originating from numerous, distributed unique IP addresses targeting MOVEit Transfer services since May 27, 2025. GreyNoise flagged up to 449 IPs in the last 24 hours.
- **Detection Methods and Tools**: Utilize network monitoring and threat intelligence platforms (like GreyNoise) to identify and track the elevated scanning traffic associated with MOVEit Transfer endpoints.
## References
- Vendor advisories related to fixes for CVE-2023-34362 and CVE-2023-36934 (Search Progress MOVEit Transfer security advisories).
- Primary source article: hxxps://thehackernews.com/2025/06/moveit-transfer-faces-increased-threats.html