In recent weeks, Progress MOVEit Transfer, a widely utilized managed file transfer solution, has experienced a significant uptick in scanning activity, raising alarms about potential exploitation by cyber adversaries. This development underscores the critical need for organizations to bolster their cybersecurity defenses and ensure their systems are up-to-date.
Escalation in Scanning Activity
On May 27, 2025, threat intelligence firm GreyNoise observed a dramatic increase in scanning activity targeting MOVEit Transfer systems. Prior to this date, daily scans were minimal, typically involving fewer than 10 unique IP addresses. However, on May 27, the number of unique IPs scanning these systems surged to over 100, escalating to 319 on May 28. Since then, daily scanner IP volume has remained elevated, fluctuating between 200 to 300 unique IPs per day. This pattern represents a significant deviation from the norm and suggests that MOVEit Transfer systems are once again in the crosshairs of potential attackers.
Over the past 90 days, GreyNoise has identified 682 unique IP addresses associated with this scanning activity. Notably, 44% of these IPs originate from Tencent Cloud (ASN 132203), with other significant sources including Cloudflare (113 IPs), Amazon (94 IPs), and Google (34 IPs). The majority of these scanner IPs geolocate to the United States, followed by Germany, Japan, Singapore, Brazil, the Netherlands, South Korea, Hong Kong, and Indonesia.
Exploitation of Known Vulnerabilities
In addition to the surge in scanning activity, there have been low-volume exploitation attempts targeting known vulnerabilities in MOVEit Transfer. On June 12, 2025, GreyNoise detected attempts to exploit two specific vulnerabilities: CVE-2023-34362 and CVE-2023-36934. These vulnerabilities have been previously exploited by threat actors, including the Cl0p ransomware group, which leveraged CVE-2023-34362 in a widespread campaign in 2023, impacting over 2,770 organizations and exposing the personal data of approximately 93.3 million individuals.
Understanding the Vulnerabilities
CVE-2023-34362 is a critical SQL injection vulnerability in MOVEit Transfer that allows unauthenticated attackers to gain unauthorized access to the application database. Exploitation of this vulnerability can lead to data theft and potential system compromise. CVE-2023-36934 is another SQL injection vulnerability that, if exploited, can result in unauthorized access and manipulation of database contents.
Implications for Organizations
The recent surge in scanning activity and exploitation attempts indicates that threat actors are actively seeking unpatched MOVEit Transfer instances to exploit known vulnerabilities. Organizations utilizing MOVEit Transfer must recognize the heightened risk and take immediate action to secure their systems.
Recommended Actions
1. Apply Security Patches Promptly: Ensure that all MOVEit Transfer systems are updated to the latest versions that address known vulnerabilities. Progress Software has released patches for these vulnerabilities, and timely application is crucial to mitigate risk.
2. Monitor Network Traffic: Implement continuous monitoring of network traffic to detect unusual scanning activity or exploitation attempts. Utilize intrusion detection and prevention systems to identify and block malicious IP addresses.
3. Restrict Access: Limit public exposure of MOVEit Transfer systems by configuring firewalls to restrict access to trusted IP addresses. Disable unnecessary services and ports to reduce the attack surface.
4. Conduct Regular Security Audits: Perform regular security assessments and vulnerability scans to identify and remediate potential weaknesses in your systems.
5. Educate Employees: Provide cybersecurity training to employees to raise awareness about phishing attacks and other social engineering tactics that could be used to gain unauthorized access.
Conclusion
The recent increase in scanning activity and exploitation attempts targeting MOVEit Transfer systems serves as a stark reminder of the persistent threats facing organizations today. By proactively applying security patches, monitoring network activity, restricting access, conducting regular audits, and educating employees, organizations can significantly enhance their cybersecurity posture and protect sensitive data from potential breaches.
