Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Network-reachable HTTPS module with no auth or user interaction (AV:N/AC:L/PR:N/UI:N); spoofing yields integrity impact only (I:H, C:N/A:N), matching the 'limited' bypass description.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
7DescriptionNVD
Limited authentication bypass by spoofing vulnerability in Progress MOVEit Transfer (HTTPS module).
This issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3.
AnalysisAI
Authentication bypass by spoofing in Progress MOVEit Transfer's HTTPS module allows remote unauthenticated attackers to impersonate or partially bypass identity verification, compromising integrity (CVSS 7.5, I:H) without exposing or destroying data (C:N/A:N). The flaw affects MOVEit Transfer builds before 2025.0.7 and the 2025.1.x line before 2025.1.3; a vendor patch is available. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires network reachability to the MOVEit Transfer HTTPS (web) module, which is the exact affected component named in the CVE; per the CVSS vector (AV:N/AC:L/PR:N/UI:N) no authentication, no user interaction, and no special non-default configuration is documented, so a standard internet- or intranet-exposed MOVEit Transfer HTTPS listener on an unpatched version (before 2025.0.7, or 2025.1.0-2025.1.2) is sufficient. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and lean toward moderate, patch-soon rather than emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A remote attacker with no credentials sends crafted HTTPS requests to an internet-exposed MOVEit Transfer web endpoint, presenting a forged or spoofed authentication indicator that the server trusts, thereby assuming another identity to a limited degree and tampering with data or actions permitted to that identity. No user interaction or prior authentication is required (PR:N/UI:N), and attack complexity is low; however, no public exploit code has been identified at time of analysis. |
| Remediation | Vendor-released patch: upgrade to MOVEit Transfer 2025.0.7 (for the pre-2025.1 line) or 2025.1.3 (for the 2025.1.x line), whichever matches your deployment, as documented in the Progress fixed-issues notes at https://docs.progress.com/bundle/moveit-transfer-release-notes-2026/page/Fixed-Issues-in-2026.html. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Progress MOVEit Transfer deployments and determine current version numbers across all systems. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Moveit Transfer
View allIn Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.
Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass.0.0 be
In Progress MOVEit Transfer before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.
In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.
Path-equivalence weakness in Progress MOVEit Transfer's File Upload modules lets remote attackers bypass path-normalizat
Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Privilege Escalation.0.0 bef
In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4), SQL injection in the MOVEit Transfer web appl
In Progress MOVEit Transfer 11.1 before 11.1.3, a vulnerability has been found that could allow an attacker to sign in w
In Progress MOVEit Transfer 10.2 before 10.2.6 (2018.3), 11.0 before 11.0.4 (2019.0.4), and 11.1 before 11.1.3 (2019.1.3
In Progress MOVEit Transfer before 2020.1, a malicious user could craft and store a payload within the application. Rate
MOVEit.DMZ.WebApi.dll in Progress MOVEit Transfer 2018 SP2 before 10.2.4, 2019 before 11.0.2, and 2019.1 before 11.1.1 a
In Progress MOVEit Transfer before 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), and 2023.
Same weakness CWE-290 – Authentication Bypass by Spoofing
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42381
GHSA-rwjf-g383-jc9c