Surge in Attacks on MOVEit Transfer Systems: What You Need to Know

Overview of the Threat

On May 27, 2025, cybersecurity firm GreyNoise reported a significant rise in scanning activities aimed at Progress MOVEit Transfer systems. This increase could indicate attackers preparing for a mass exploitation campaign, highlighting the importance of vigilance among users of this widely-used managed file transfer solution.

What is MOVEit Transfer?

MOVEit Transfer is a secure managed file transfer service widely adopted by businesses and government agencies to facilitate the safe exchange of sensitive information. Its ability to handle high-value data makes it an attractive target for cybercriminals looking to exploit potential vulnerabilities.

The Spike in Scanning Activities

Before the end of May 2025, the scanning activity targeting MOVEit Transfer was relatively low, with fewer than ten unique IP addresses probing the systems daily. However, that changed dramatically on May 27, when over 100 unique IPs were detected. The following day saw an even higher number, with 319 unique IP addresses on May 28 alone. Since this spike, the number of scanning IPs has fluctuated between 200 and 300 daily, marking a considerable increase from typical behavior.

Statistics and Geolocation of Threats

In total, GreyNoise has flagged 682 unique IP addresses connected to these scanning activities over the last 90 days. Notably, 449 of these addresses were identified in just the past 24 hours. Among them, 344 have been labeled as suspicious, with 77 identified as malicious. A large majority of these IP addresses are traced back to the United States, with others originating from Germany, Japan, Singapore, Brazil, the Netherlands, South Korea, Hong Kong, and Indonesia.

Exploitation Attempts on MOVEit Transfer

On June 12, 2025, GreyNoise observed low-volume attempts to exploit two known vulnerabilities in MOVEit Transfer—CVE-2023-34362 and CVE-2023-36934. It’s important to note that CVE-2023-34362 was previously exploited by the Cl0p ransomware group during a significant campaign in 2023, which affected over 2,770 organizations globally.

Importance of Security Measures

Given the notable increase in scanning activities, it is crucial for MOVEit Transfer users to take proactive steps. Users should ensure that their systems are up-to-date with the latest security patches, block any identified malicious IP addresses, and avoid exposing MOVEit Transfer instances to the public internet. Implementing these measures can help mitigate the risk posed by these ongoing scanning activities and potential exploitation attempts.

In summary, with the rise in targeting of MOVEit Transfer systems, it’s vital for organizations that rely on this data transfer solution to remain vigilant and implement necessary security protocols to safeguard against cyber threats.