As of May 27, 2025, there has been an increase in scanning activity targeted MOVEit Transfer systems.

GreyNoise notes that before this date, scanning was typically observed in less than 10 IPs per day. On that date, the total rose to more than 100 unique IPs. May 28, 2025 saw 319 IPs. Since this noted increase, the daily scanner IP amount has stayed between 200 to 300 IPs. These findings suggest that MOVEit Transfer may be in the midst of threat activity. 

Shane Barney, Chief Information Security Officer at Keeper Security, states, “The increase in scanning activity targeting MOVEit Transfer systems is worth monitoring, but doesn’t necessarily indicate imminent or widespread exploitation. This type of behavior often reflects opportunistic threat actors probing for unpatched systems — not necessarily a sophisticated adversary. That said, the MOVEit vulnerabilities have a history of being exploited at scale, with significant consequences, so organizations must remain vigilant. Ensuring patches are applied, systems aren’t unnecessarily exposed and privileged access is tightly controlled are all foundational steps that help reduce risk.”

With AI enabling malicious actors to increase the speed and sophistication of attacks, security teams are encouraged to focus on the foundations of security to mitigate risks. 

“While cybercrime groups may attempt to speed up and scale campaigns with automation or AI, core defense strategies for organizations remain the same: establish a zero-trust architecture, manage privilege access and use real-time threat detection to continuously monitor for suspicious activity,” Barney asserts. 

Confirmed Exploitation Attempts Leverage Old MOVEit Vulnerabilities 

On June 12, 2025, confirmed exploitation attempts were observed. These involved two previously disclosed vulnerabilities, CVE-2023-34362 and CVE-2023-36934. 

‍Ms. Nivedita Murthy, Senior Staff Consultant at Black Duck, comments, “Attackers are exploiting a vulnerability in outdated versions of MOVEit Transfer, emphasizing the importance of keeping software up-to-date with the latest patches. Attackers are always on the lookout for unpatched and older versions of software to take advantage of. With the help of AI, attackers can automate a lot of their tasks and run attacks faster while making them harder to detect.” 

These exploit attempts occurred in a period of increased scanning, potentially representing target validation or exploit testing. However, at this time, there has been no widespread exploitation observed. 

Nevertheless, organizations and security teams should be alert and aware of the risks. 

‍Ms. Murthy says, “To prevent such attacks, security teams should inventory all instances of the software using SCA tools, implement additional controls such as authentication and authorization, and regularly scan their software inventory for risks. Maintaining accurate Software Bills of Materials (SBOMs) is also crucial in managing risk and helps confidently unleash business innovation in an era of accelerating risk.”