CVE-2025-2324 — Improper Privilege Management in Moveit Transfer

CWE-269 — Improper Privilege Management3 documents3 sources

Severity

8.8HIGHNVD

CNA5.9

EPSS

0.1%

top 81.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Progress Moveit Transfer

Timeline

PublishedMar 19

Description

Improper Privilege Management vulnerability for users configured as Shared Accounts in Progress MOVEit Transfer (SFTP module) allows Privilege Escalation.This issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.12, from 2024.0.0 before 2024.0.8, from 2024.1.0 before 2024.1.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5progress/moveit_transfer2023.1.0 — 2023.1.12+2

▶NVDprogress/moveit_transfer2023.1.0 — 2023.1.12+2

🔴Vulnerability Details

CVEList

A MOVEit Transfer user configured as a Shared Account can gain unintended List permissions on a folder↗2025-03-19

▶

GHSA

GHSA-r985-fv8x-vqj3: Improper Privilege Management vulnerability for users configured as Shared Accounts in Progress MOVEit Transfer (SFTP module) allows Privilege Escalat↗2025-03-19

▶