MOVEit Systems Face Increased Vulnerability After Scanning Activity

Blog

A significant rise in scanning activity targeting MOVEit Transfer systems has been detected, indicating a potential surge in attacks against the software.

Threat intelligence provider GreyNoise reported a notable increase in unique IP addresses interacting with its MOVEit Transfer Scanner Tag starting on May 27, 2025, with 100 unique IPs detected on that day, followed by 319 unique IPs on May 28.

Since that initial increase, the daily volume of scanning IPs has remained intermittently elevated between 200 and 300, deviating significantly from previous norms, which typically recorded less than 10 scanning addresses per day. This resurgence in activity suggests that MOVEit Transfer systems are once again a prime target for attackers.

In the summer of 2023, the Clop ransomware group exploited a vulnerability within MOVEit file transfer software, impacting hundreds of downstream clients, including notable organizations such as the BBC, British Airways, and the pharmacy chain Boots.

In total, GreyNoise identified 682 unique IPs involved in MOVEit scanning activities over a 90-day period ending June 24, 2025. The infrastructure identified as the most active was Tencent Cloud, accounting for 44% of the detected IPs, followed by Cloudflare (17%), Amazon (14%), and Google (5%). The vast majority of the scanning IPs were geolocated in the United States.

The observed activity potentially serves to prepare for renewed targeting of MOVEit Transfer systems by enabling attackers to identify new vulnerabilities or exploit previously undisclosed ones. Such scanning patterns often precede the discovery of new vulnerabilities within two to four weeks.

The concentration of scanning activity within a single autonomous system number indicates that the scanning is deliberate and likely managed programmatically, rather than being random or sporadic.

GreyNoise is actively monitoring this situation and plans to issue further updates as necessary.

Confirmed MOVEit Exploitation Attempts

Furthermore, GreyNoise has detected two low-volume exploitation attempts on June 12, 2025, linked to two previously disclosed SQL injection vulnerabilities impacting MOVEit transfer systems, namely CVE-2023-34362 and CVE-2023-36934. These occurrences surfaced during the heightened scanning activity, potentially representing target validation or exploitation testing; however, no widespread exploitation has been verified at this time.

In light of these developments, the firm offers the following recommendations for MOVEit users to safeguard against potential exploitation:

  • Block any malicious or suspicious IP addresses.
  • Conduct audits on the public exposure of MOVEit Transfer systems.
  • Apply patches for known vulnerabilities, including CVE-2023-34362 and CVE-2023-36934.
  • Monitor real-time attacker activity targeting MOVEit Transfer systems.