MOVEit Transfer Encounters Heightened Threat Landscape Amid Escalating Scanning Activities and Exploitation of CVE Vulnerabilities
Threat intelligence firm GreyNoise has reported a significant increase in scanning activity targeting Progress MOVEit Transfer systems, which began on May 27, 2025. This uptick suggests potential preparation for another mass exploitation campaign or attempts to locate unpatched systems.
MOVEit Transfer is a widely used managed file transfer solution that enables secure sharing of sensitive data among businesses and government agencies. Due to its handling of high-value information, it has become an attractive target for cyber attackers.
Prior to the noted date, scanning activity was minimal, with fewer than 10 unique IPs observed daily. However, on May 27, the activity surged to over 100 unique IPs, escalating further to 319 on May 28. Since that spike, the daily volume of scanning IPs has consistently remained elevated, ranging between 200 to 300 IPs per day, marking a considerable departure from normal patterns.
In the preceding 90 days, a total of 682 unique IPs have been flagged in connection with this scanning activity. Of the 449 IP addresses observed in just the past 24 hours, 344 have been classified as suspicious, and 77 have been identified as malicious.
Geolocation data indicates that most of these IP addresses are based in the United States, followed by Germany, Japan, Singapore, Brazil, the Netherlands, South Korea, Hong Kong, and Indonesia.
Additionally, GreyNoise has noted low-volume attempts to exploit two known vulnerabilities in MOVEit Transfer (CVE-2023-34362 and CVE-2023-36934) on June 12, 2025. Notably, CVE-2023-34362 was previously leveraged by Cl0p ransomware operators in a widespread campaign in 2023, which impacted over 2,770 organizations.
This recent surge in scanning activity underscores the urgent need for users to actively block the identified offending IP addresses, ensure their software is fully updated, and avoid any unnecessary exposure of their MOVEit Transfer systems to the public internet.