MOVEit Transfer Systems Hit by Wave of Attacks Using Over 100 Unique IPs

A dramatic surge in scanning and exploitation activity targeting Progress Software’s MOVEit Transfer file-sharing platform has alarmed cybersecurity researchers and enterprise defenders worldwide.

Over the past 90 days, threat intelligence firm GreyNoise has detected 682 unique IP addresses targeting MOVEit Transfer systems, with the most intense activity beginning on May 27, 2025—when scanning activity spiked from near-zero to over 100 unique IPs in a single day. 

By May 28, that number had climbed to 319 unique IPs, and daily scanning volumes have remained persistently elevated, fluctuating between 200 and 300 IPs per day ever since.

The attack infrastructure is notably concentrated among a handful of major cloud providers. Tencent Cloud accounts for 44% of all scanner IPs (303 out of 682), making it the most active source by far.

Other significant contributors include Cloudflare (113 IPs), Amazon (94), and Google (34). 

This level of concentration—especially within a single autonomous system number (ASN)—suggests that the scanning is both deliberate and programmatically managed, rather than the result of random or distributed probing.

Geographically, the majority of scanner IPs are geolocated to the United States, while the top destination countries for these scans include the United Kingdom, United States, Germany, France, and Mexico. 

The targeting of these regions highlights the global nature of the threat, with organizations across multiple industries at risk.

On June 12, 2025, GreyNoise also observed low-volume exploitation attempts targeting MOVEit Transfer systems.

These attempts were linked to two previously disclosed vulnerabilities: CVE-2023-34362 and CVE-2023-36934. 

While these events could indicate target validation or exploit testing, GreyNoise has not yet detected widespread exploitation.

However, the presence of exploitation attempts during a period of heightened scanning underscores the persistent threat posed by attackers to MOVEit Transfer users.

The MOVEit Transfer platform, widely used by organizations for secure file transfers, has been a frequent target for cybercriminals in recent years.

Previous attacks have involved the exploitation of zero-day vulnerabilities, often resulting in the installation of custom web shells and the exfiltration of sensitive data from thousands of organizations and nearly 100 million individuals. 

The current wave of scanning and exploitation attempts suggests that attackers are once again probing for weaknesses in MOVEit Transfer systems, potentially preparing for new data breach campaigns.

Security experts recommend that organizations take immediate action to protect their systems.

Key defensive measures include dynamically blocking malicious and suspicious IPs, auditing public exposure of MOVEit Transfer systems, and applying patches for known vulnerabilities, including CVE-2023-34362 and CVE-2023-36934. 

Continuous monitoring of attacker activity is also critical, as threat actors may shift tactics or escalate their efforts in response to defensive measures.

The ongoing targeting of MOVEit Transfer highlights the broader challenges faced by organizations relying on widely used file-sharing solutions.

The concentration of attack infrastructure in major cloud providers complicates attribution and mitigation efforts, while the global reach of the attacks underscores the need for international cooperation in cybersecurity defense.

As the situation evolves, GreyNoise and other threat intelligence providers are developing enhanced dynamic IP blocklists to help defenders respond more quickly to emerging threats. 

Organizations are urged to remain vigilant and to prioritize the security of their file transfer systems in the face of this persistent and evolving threat landscape.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates