CVE-2025-11235

Low

Published: 07 January 2026

Published

07 January 2026

Modified

03 February 2026

KEV Added

—

Patch

—

CVSS Score 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS Score 0.0003 8.8th percentile

Risk Priority 7 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-11235 is a low-severity Unverified Password Change (CWE-620) vulnerability in Progress Moveit Transfer. Its CVSS base score is 3.7 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Remote exploitation of public-facing REST API in MOVEit Transfer directly matches T1190; resulting low-impact DoS via application abuse matches T1499.004.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Unverified Password Change vulnerability in Progress MOVEit Transfer on Windows (REST API modules).This issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.3, from 2023.0.0 before 2023.0.8, from 2022.1.0 before 2022.1.11, from 2022.0.0 before 2022.0.10.

Deeper analysisAI

CVE-2025-11235 is an Unverified Password Change vulnerability (CWE-620) in Progress MOVEit Transfer on Windows, specifically affecting the REST API modules. The issue impacts MOVEit Transfer versions from 2023.1.0 before 2023.1.3, from 2023.0.0 before 2023.0.8, from 2022.1.0 before 2022.1.11, and from 2022.0.0 before 2022.0.10. It has a CVSS v3.1 base score of 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L), rated as low severity due to its limited impact on availability.

A remote attacker with network access and no privileges required can exploit this vulnerability, though it demands high attack complexity and no user interaction. Successful exploitation results in a low-impact denial of service, such as limited disruption to availability without affecting confidentiality or integrity.

Progress advisories indicate the vulnerability was fixed in MOVEit Transfer versions 2023.1.3, 2023.0.8, 2022.1.11, and 2022.0.10. Security practitioners should apply these patches promptly to mitigate the risk, as detailed in the release notes at https://docs.progress.com/bundle/moveit-transfer-release-notes-2023_1/page/Fixed-Issues-in-2023.1.3.html.

Details

CWE(s): CWE-620

Affected Products

progress

moveit transfer

2022.0.0 — 2022.0.10 · 2022.1.0 — 2022.1.11 · 2023.0.0 — 2023.0.8

CVEs Like This One

CVE-2025-2324Same product: Progress Moveit Transfer

CVE-2026-4670Same product class: managed file transfer

CVE-2025-13447Same product class: managed file transfer

CVE-2025-13444Same product class: managed file transfer

CVE-2026-5174Same product class: managed file transfer

CVE-2026-2699Same vendor: Progress

CVE-2025-54309Same product class: managed file transfer

CVE-2025-1758Same vendor: Progress

CVE-2026-6022Same vendor: Progress

CVE-2026-6023Same vendor: Progress

References

https://docs.progress.com/bundle/moveit-transfer-release-notes-2023_1/page/Fixed-Issues-in-2023.1.3.html
Release Notes · security@progress.com