Monthly
Path-equivalence weakness in Progress MOVEit Transfer's File Upload modules lets remote attackers bypass path-normalization checks to reach or place files outside their intended scope, carrying an NVD CVSS of 9.8. It affects MOVEit Transfer before 2025.0.8 and the 2025.1.x line before 2025.1.4, and a vendor patch is available. There is no public exploit identified at time of analysis and EPSS is low (0.25%), while CISA SSVC rates exploitation as none and technical impact as only partial.
Path-equivalence weakness in Progress MOVEit Transfer's File Upload modules lets remote attackers bypass path-normalization checks to reach or place files outside their intended scope, carrying an NVD CVSS of 9.8. It affects MOVEit Transfer before 2025.0.8 and the 2025.1.x line before 2025.1.4, and a vendor patch is available. There is no public exploit identified at time of analysis and EPSS is low (0.25%), while CISA SSVC rates exploitation as none and technical impact as only partial.