CVE-2025-2324 Overview
CVE-2025-2324 is an Improper Privilege Management vulnerability [CWE-269] affecting the SFTP module in Progress MOVEit Transfer. The flaw impacts accounts configured as Shared Accounts and allows authenticated users to escalate privileges within the managed file transfer platform. Progress MOVEit Transfer is widely deployed to handle sensitive business-to-business file exchange, making privilege escalation issues high-impact for regulated environments.
The vulnerability affects MOVEit Transfer versions from 2023.1.0 before 2023.1.12, from 2024.0.0 before 2024.0.8, and from 2024.1.0 before 2024.1.2. Progress released patched builds and published a security advisory on March 18, 2025.
Critical Impact
An authenticated attacker abusing a Shared Account configuration over SFTP can elevate privileges and gain unauthorized access to files and operations belonging to other users on the MOVEit Transfer server.
Affected Products
- Progress MOVEit Transfer 2023.1.0 through versions before 2023.1.12
- Progress MOVEit Transfer 2024.0.0 through versions before 2024.0.8
- Progress MOVEit Transfer 2024.1.0 through versions before 2024.1.2
Discovery Timeline
- 2025-03-19 - CVE-2025-2324 published to the National Vulnerability Database (NVD)
- 2025-07-31 - Last updated in NVD database
Technical Details for CVE-2025-2324
Vulnerability Analysis
The vulnerability resides in the SFTP module of MOVEit Transfer and is classified as Improper Privilege Management [CWE-269]. When a user account is configured as a Shared Account, the SFTP module fails to enforce the correct privilege boundary between the shared identity and other principals authorized on the system. An authenticated attacker holding low-privilege credentials can leverage this gap to perform actions outside the intended permission scope.
Because the attack vector is network-based and requires only low privileges with no user interaction, exploitation can be triggered remotely once SFTP access is obtained. Successful exploitation impacts the confidentiality, integrity, and availability of data managed by MOVEit Transfer, including the potential exposure or modification of files belonging to other tenants on the platform.
Root Cause
The root cause is improper enforcement of authorization checks when the SFTP module operates on behalf of users mapped to Shared Account configurations. The module does not consistently validate whether the acting principal should be granted the elevated capabilities associated with the shared identity, allowing privilege boundaries to be crossed.
Attack Vector
Exploitation requires a valid, authenticated SFTP session against an unpatched MOVEit Transfer instance. The attacker must hold credentials that map to or interact with a Shared Account configuration. Once authenticated, the attacker performs SFTP operations that the module evaluates with elevated privileges, resulting in horizontal or vertical privilege escalation. No user interaction is required to complete the attack.
Verified exploitation code is not available in public sources at the time of writing, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. See the Progress MOVEit Transfer Advisory for vendor technical details.
Detection Methods for CVE-2025-2324
Indicators of Compromise
- SFTP authentication events for accounts mapped to Shared Account configurations followed by file operations outside their normal directory scope.
- Unexpected file reads, writes, deletions, or permission changes performed under a Shared Account identity.
- Session activity from accounts accessing files or folders that they do not historically interact with on the MOVEit Transfer server.
Detection Strategies
- Enable and review verbose audit logging in MOVEit Transfer for all SFTP sessions, focusing on accounts configured as Shared Accounts.
- Baseline normal SFTP file access patterns per account and alert on deviations such as access to new folders, mass downloads, or operations on other users' files.
- Correlate MOVEit Transfer application logs with network telemetry to identify SFTP connections from unusual source addresses or at unusual times.
Monitoring Recommendations
- Forward MOVEit Transfer SFTP logs and audit trails to a centralized SIEM or data lake for long-term retention and analysis.
- Monitor administrative actions, permission changes, and Shared Account configuration modifications within MOVEit Transfer.
- Alert on repeated failed authorization checks or error events emitted by the SFTP module that may indicate exploitation attempts.
How to Mitigate CVE-2025-2324
Immediate Actions Required
- Upgrade MOVEit Transfer to a fixed release: 2023.1.12 or later, 2024.0.8 or later, or 2024.1.2 or later as documented by Progress.
- Inventory all accounts configured as Shared Accounts and review their permissions and file scope before and after patching.
- Rotate credentials for any account suspected of misuse and audit recent SFTP activity for unauthorized operations.
Patch Information
Progress published patched builds and remediation guidance in the Progress MOVEit Transfer Advisory on March 18, 2025. Administrators should apply the appropriate fixed version for their deployment branch as the primary remediation.
Workarounds
- Where immediate patching is not possible, restrict or disable Shared Account configurations in the SFTP module until the upgrade can be applied.
- Limit SFTP access to MOVEit Transfer from trusted networks using firewall rules or IP allow lists to reduce exposure.
- Enforce least privilege on all MOVEit Transfer accounts and review file and folder permissions to minimize the impact of any privilege escalation.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
