A notable surge in scanning activity targeting Progress MOVEit Transfer systems has been detected by threat intelligence firm GreyNoise starting May 27, 2025. This surge suggests that attackers may be gearing up for another mass exploitation campaign or probing for unpatched systems.
MOVEit Transfer, a widely-used managed file transfer solution for secure data sharing by businesses and government agencies, has become a prime target for attackers due to its handling of high-value information.
According to the company, “Prior to this date, scanning was minimal — typically fewer than 10 IPs observed per day. But on May 27, that number spiked to over 100 unique IPs, followed by 319 IPs on May 28.”
Since then, daily scanner IP volume has remained intermittently elevated between 200 to 300 IPs per day, marking a significant deviation from usual behavior.
GreyNoise has flagged as many as 682 unique IPs in connection with the activity over the past 90 days, with 449 IP addresses observed in the past 24 hours alone. Of the 449 IPs, 344 have been categorized as suspicious and 77 have been marked malicious.
The majority of the IP addresses geolocate to the United States, followed by Germany, Japan, Singapore, Brazil, the Netherlands, South Korea, Hong Kong, and Indonesia.
Low-volume exploitation attempts to weaponize two known MOVEit Transfer flaws (CVE-2023-34362 and CVE-2023-36934) were detected by GreyNoise on June 12, 2025. It’s important to note that CVE-2023-34362 was exploited by Cl0p ransomware actors in a widespread campaign in 2023, affecting over 2,770 organizations.
The increase in scanning activity underscores the need for users to block the offending IP addresses, ensure their software is up-to-date, and refrain from publicly exposing MOVEit Transfer instances over the internet.
