Cyber Resilience

CVE-2025-11235

Low

Published: 07 January 2026

Published
07 January 2026
Modified
03 February 2026
KEV Added
Patch
CVSS Score v3.1 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0002 4.7th percentile
Risk Priority 7 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-11235 is a low-severity Unverified Password Change (CWE-620) vulnerability in Progress Moveit Transfer. Its CVSS base score is 3.7 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-11235 is an Unverified Password Change vulnerability (CWE-620) in Progress MOVEit Transfer on Windows, specifically affecting the REST API modules. The issue impacts MOVEit Transfer versions from 2023.1.0 before 2023.1.3, from 2023.0.0 before 2023.0.8, from 2022.1.0 before 2022.1.11, and from 2022.0.0 before 2022.0.10. It has a CVSS v3.1 base score of 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L), rated as low severity due to its limited impact on availability.

A remote attacker with network access and no privileges required can exploit this vulnerability, though it demands high attack complexity and no user interaction. Successful exploitation results in a low-impact denial of service, such as limited disruption to availability without affecting confidentiality or integrity.

Progress advisories indicate the vulnerability was fixed in MOVEit Transfer versions 2023.1.3, 2023.0.8, 2022.1.11, and 2022.0.10. Security practitioners should apply these patches promptly to mitigate the risk, as detailed in the release notes at https://docs.progress.com/bundle/moveit-transfer-release-notes-2023_1/page/Fixed-Issues-in-2023.1.3.html.

EU & UK References

Vulnerability details

Unverified Password Change vulnerability in Progress MOVEit Transfer on Windows (REST API modules).This issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.3, from 2023.0.0 before 2023.0.8, from 2022.1.0 before 2022.1.11, from 2022.0.0 before 2022.0.10.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote exploitation of public-facing REST API in MOVEit Transfer directly matches T1190; resulting low-impact DoS via application abuse matches T1499.004.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-2324Same product: Progress Moveit Transfer
CVE-2023-34362Same product: Progress Moveit Transfer
CVE-2026-4670Same product class: managed file transfer
CVE-2026-8485Same product class: managed file transfer
CVE-2026-8488Same product class: managed file transfer
CVE-2025-13444Same product class: managed file transfer
CVE-2025-13447Same product class: managed file transfer
CVE-2026-8486Same product class: managed file transfer
CVE-2026-8487Same product class: managed file transfer
CVE-2026-5174Same product class: managed file transfer

Affected Assets

progress
moveit transfer
2022.0.0 — 2022.0.10 · 2022.1.0 — 2022.1.11 · 2023.0.0 — 2023.0.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of vendor patches that remediate the unverified password-change flaw in MOVEit REST API modules.

prevent

Mandates secure authenticator (password) management procedures that would prevent acceptance of unverified password-change requests.

prevent

Enforces access-control decisions on password-change operations, blocking the unauthenticated or unverified requests that trigger the DoS condition.

References