A significant surge in scanning activity targeting Progress MOVEit Transfer systems has been observed since late May 2025, indicating heightened threats and potential exploitation campaigns. Threat intelligence firm GreyNoise reported a dramatic spike beginning May 27, 2025, when scanning activity jumped from fewer than 10 unique IP addresses per day to over 100, followed by 319 IPs on May 28. Daily scanning volumes have since remained elevated at 200–300 IPs, a stark deviation from baseline activity.
Key Threat Indicators
• Infrastructure Concentration: Attack infrastructure is heavily concentrated within major cloud providers:
• Tencent Cloud: 303 IPs (44% of total)
• Cloudflare: 113 IPs
• Amazon: 94 IPs
• Google: 34 IPs.
This suggests deliberate, programmatic management rather than random probing.
Exploitation Attempts
Low-volume exploitation was observed on June 12, 2025, targeting two known vulnerabilities – CVE-2023-34362: Remote code execution flaw and CVE-2023-36934: SQL injection vulnerability. While widespread exploitation hasn’t been confirmed, these attempts indicate active testing of exploits.
Geographical Targeting
Scanner IPs primarily geolocate to the United States, with significant activity from Germany, Japan, Singapore, and Brazil. Top destination countries include the UK, US, Germany, France, and Mexico.
Context and Risks
MOVEit Transfer—a managed file-transfer solution handling sensitive data—has been a high-value target for attackers, notably exploited by the Clop ransomware group in 2023. The current scanning surge often precedes new vulnerability discoveries or mass exploitation campaigns. With 682 unique malicious/suspicious IPs detected in 90 days, organizations globally face elevated risks of data breaches.
