A significant rise in scanning activity targeting MOVEit Transfer systems has been detected, indicating the software could face a resurgence in attacks.
Threat intelligence provider GreyNoise detected a massive jump in unique IPs triggering its MOVEit Transfer Scanner Tag, beginning on May 27, 2025. On that day, 100 unique IPs were detected, followed by 319 on May 28.
“Since that initial jump, the daily scanner IP volume has remained intermittently elevated between 200 to 300 IPs per day – a significant deviation from baseline and an indicator that MOVEit Transfer is once again in the crosshairs,” the researchers noted.
Prior to May 27, scanning activity targeting MOVEit was minimal, at less than 10 addresses observed per day.
In the summer of 2023, the notorious Clop ransomware gang exploited a vulnerability in MOVEit file transfer software, allowing it to target hundreds of downstream customers, including high profile names such as the BBC, British Airways and pharmacy chain Boots.
In total, GreyNoise detected 682 unique IPs undertaking MOVEit scanning activity in the 90 days up to June 24, 2025. The most active infrastructure was Tencent Cloud, used by 44% of the IPs detected.
Other source providers included Cloudflare (17%), Amazon (14%) and Google (5%).
The “overwhelming majority” of scanner IPs geolocated to the US.
The researchers believe the activity could be laying the groundwork for a renewed targeting of MOVEit Transfer systems by enabling attackers to discover new zero days or exploiting undisclosed vulnerabilities.
They noted that such scanning patterns often coincide with new vulnerabilities emerging two to four weeks later.
“This level of infrastructure concentration – particularly within a single autonomous system number (ASN) – suggests that the scanning is deliberate and programmatically managed, rather than random or distributed probing,” they commented.
The company added that it is continuing to monitor the situation and will provide updates as necessary.
Confirmed MOVEit Exploitation Attempts
GreyNoise also revealed it observed two low-volume exploitation attempts on June 12, 2025. These were associated with two previously disclosed SQL injection vulnerabilities affecting MOVEit transfer systems – CVE-2023-34362 and CVE-2023-36934.
“These events occurred during the period of heightened scanning and may represent target validation or exploit testing, but at this time, no widespread exploitation has been observed,” the researchers noted.
The firm provided the following recommendations for MOVEit customers to protect against exploitation attempts:
- Block any malicious and suspicious IPs
- Audit public exposure of any MOVEit Transfer systems
- Apply patches for known vulnerabilities, including CVE-2023-34362 and CVE-2023-36934
- Monitor real-time attacker activity against MOVEit Transfer
 
			        