Progress MOVEit Transfer < 2024.1.8 / 2025.0.x < 2025.0.4 / 2025.1 Server-Side Request Forgery (November 2025)

medium Nessus Plugin ID 326459

Synopsis

An application installed on the remote host is affected by a server-side request forgery vulnerability.

Description

The version of Progress MOVEit Transfer, formerly Ipswitch MOVEit DMZ, installed on the remote host is affected by a server-side request forgery vulnerability.

- Server-Side Request Forgery (SSRF) vulnerability in Progress MOVEit Transfer. This issue affects MOVEit Transfer: before 2024.1.8, from 2025.0.0 before 2025.0.4. (CVE-2025-13147)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Progress MOVEit Transfer version 2024.1.8, 2025.0.4, 2025.1, or later.

See Also

http://www.nessus.org/u?5d959654

http://www.nessus.org/u?b36d2215

http://www.nessus.org/u?bea0e892

Plugin Details

Severity: Medium

ID: 326459

File Name: progress_moveit_transfer_17_1_0.nasl

Version: 1.1

Type: Local

Agent: windows

Family: Windows

Published: 7/13/2026

Updated: 7/13/2026

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2025-13147

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Vulnerability Information

CPE: cpe:/a:ipswitch:moveit_dmz, cpe:/a:ipswitch:moveit_transfer, cpe:/a:progress:moveit_transfer

Patch Publication Date: 11/19/2025

Vulnerability Publication Date: 11/19/2025

Reference Information

CVE: CVE-2025-13147