CVE-2025-11235
📋 TL;DR
This vulnerability allows attackers to change passwords without proper verification in Progress MOVEit Transfer's REST API modules on Windows. It affects organizations using vulnerable versions of MOVEit Transfer, potentially enabling unauthorized access to sensitive file transfer systems.
💻 Affected Systems
- Progress MOVEit Transfer
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could change administrative or user passwords, gaining unauthorized access to sensitive data and file transfer operations, potentially leading to data exfiltration or system compromise.
Likely Case
Attackers with some level of access could escalate privileges or maintain persistence by changing passwords of existing accounts they've compromised through other means.
If Mitigated
With proper network segmentation and access controls, impact would be limited to isolated segments, though password changes could still occur within authorized access boundaries.
🎯 Exploit Status
Exploitation likely requires some level of access to the REST API, but specific authentication requirements are not detailed in the CVE description.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2023.1.3, 2023.0.8, 2022.1.11, 2022.0.10
Vendor Advisory: https://docs.progress.com/bundle/moveit-transfer-release-notes-2023_1/page/Fixed-Issues-in-2023.1.3.html
Restart Required: Yes
Instructions:
1. Download the appropriate patch version from Progress support portal. 2. Backup current configuration and data. 3. Apply the patch following Progress installation guidelines. 4. Restart MOVEit Transfer services. 5. Verify functionality post-update.
🔧 Temporary Workarounds
Restrict REST API Access
allLimit network access to MOVEit Transfer REST API endpoints to only trusted IP addresses or networks.
Configure firewall rules to restrict access to MOVEit Transfer REST API ports (typically 80/443) to authorized IP ranges only.
Disable Unused REST API Functions
windowsIf password change functionality via REST API is not required, disable or restrict these endpoints.
Configure MOVEit Transfer to disable password change endpoints in REST API settings if supported.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate MOVEit Transfer systems from untrusted networks
- Enforce strong authentication and monitoring for all REST API access, with alerts for password change attempts
🔍 How to Verify
Check if Vulnerable:
Check MOVEit Transfer version in administrative console or via system information commands. Compare against affected version ranges.Check Version:
Check MOVEit Transfer administrative interface or review installation logs for version information.Verify Fix Applied:
Verify installed version matches patched versions (2023.1.3, 2023.0.8, 2022.1.11, or 2022.0.10). Test password change functionality with proper verification.📡 Detection & Monitoring
Log Indicators:
- Unusual password change events in MOVEit logs
- Multiple failed authentication attempts followed by password changes
- REST API access from unexpected IP addresses
Network Indicators:
- Unusual REST API traffic patterns
- Password change requests without preceding authentication verification
SIEM Query:
source="moveit-transfer" AND (event_type="password_change" OR api_endpoint="*/password*") | stats count by src_ip, user