CVE-2025-11235 Overview
An Unverified Password Change vulnerability exists in Progress MOVEit Transfer on Windows, specifically within the REST API modules. This security flaw allows attackers to potentially manipulate password change functionality without proper verification, which could lead to account compromise or service disruption in affected MOVEit Transfer deployments.
Critical Impact
This vulnerability affects the password change mechanism in MOVEit Transfer's REST API, potentially allowing unauthorized password modifications that could disrupt service availability.
Affected Products
- Progress MOVEit Transfer versions 2023.1.0 to 2023.1.2 (fixed in 2023.1.3)
- Progress MOVEit Transfer versions 2023.0.0 to 2023.0.7 (fixed in 2023.0.8)
- Progress MOVEit Transfer versions 2022.1.0 to 2022.1.10 (fixed in 2022.1.11)
- Progress MOVEit Transfer versions 2022.0.0 to 2022.0.9 (fixed in 2022.0.10)
Discovery Timeline
- January 7, 2026 - CVE-2025-11235 published to NVD
- January 8, 2026 - Last updated in NVD database
Technical Details for CVE-2025-11235
Vulnerability Analysis
This vulnerability is classified under CWE-620 (Unverified Password Change), which occurs when a web application allows users to change their passwords without requiring the current password or other verification mechanisms. In the context of MOVEit Transfer, the REST API modules fail to properly validate password change requests, creating a potential avenue for unauthorized access or account manipulation.
The network-based attack vector requires no authentication and can be exploited without user interaction, though the complexity of successful exploitation is high. The primary impact is to system availability rather than confidentiality or integrity.
Root Cause
The root cause of this vulnerability lies in insufficient verification controls within the password change functionality of the REST API modules. The application does not adequately verify the identity of the requester before processing password change requests, violating secure authentication design principles. This lack of proper identity verification in the password modification workflow creates an exploitable condition.
Attack Vector
The vulnerability is exploitable over the network through the MOVEit Transfer REST API endpoints. An attacker would need to craft specially formed requests to the password change API endpoint. While the attack requires no prior authentication, the high attack complexity suggests that specific conditions or timing may need to be met for successful exploitation. The impact is primarily denial of service, as successful exploitation could lock users out of their accounts or disrupt password-related functionality.
The vulnerability manifests in the REST API's password change handling mechanism. Affected deployments should consult the Progress Release Notes for version 2023.1.3 for detailed technical information about the fix.
Detection Methods for CVE-2025-11235
Indicators of Compromise
- Unusual volume of password change requests targeting the REST API endpoints
- Failed or anomalous authentication attempts following password change API calls
- Log entries showing password modifications without corresponding user-initiated sessions
- Multiple password change requests from unexpected IP addresses or geographic locations
Detection Strategies
- Monitor REST API logs for abnormal password change request patterns
- Implement rate limiting detection on authentication-related API endpoints
- Configure alerts for password change operations that lack normal user session context
- Review audit logs for password changes that don't correlate with user activity patterns
Monitoring Recommendations
- Enable detailed logging for all REST API authentication endpoints
- Deploy network intrusion detection signatures for anomalous MOVEit Transfer API traffic
- Implement user behavior analytics to detect unusual password change activities
- Configure SIEM rules to correlate password change events with user session data
How to Mitigate CVE-2025-11235
Immediate Actions Required
- Upgrade MOVEit Transfer to the latest patched version immediately
- Review recent password change logs for any suspicious activity
- Temporarily restrict access to REST API endpoints from untrusted networks if patching is delayed
- Enable enhanced logging on authentication-related API endpoints
Patch Information
Progress has released security patches addressing this vulnerability. Organizations should upgrade to the following minimum versions:
- MOVEit Transfer 2023.1.3 or later (for 2023.1.x branch)
- MOVEit Transfer 2023.0.8 or later (for 2023.0.x branch)
- MOVEit Transfer 2022.1.11 or later (for 2022.1.x branch)
- MOVEit Transfer 2022.0.10 or later (for 2022.0.x branch)
Detailed patch information is available in the Progress Release Notes for version 2023.1.3.
Workarounds
- Implement network-level access controls to limit REST API exposure to trusted networks only
- Deploy a web application firewall (WAF) with rules to monitor and filter suspicious password change requests
- Enable multi-factor authentication where supported to add additional verification layers
- Consider temporarily disabling REST API password change functionality if not operationally required
# Example: Network-level restriction using Windows Firewall
# Restrict REST API port access to trusted IP ranges only
netsh advfirewall firewall add rule name="MOVEit REST API Restriction" dir=in action=allow protocol=TCP localport=443 remoteip=10.0.0.0/8,192.168.0.0/16
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
