CVE-2025-11235
Unknown
Unknown - Not Provided
Unverified Password Change Vulnerability in MOVEit Transfer REST API
Publication date: 2026-01-07
Last updated on: 2026-02-03
Assigner: Progress Software Corporation
Description
Description
Unverified Password Change vulnerability in Progress MOVEit Transfer on Windows (REST API modules).This issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.3, from 2023.0.0 before 2023.0.8, from 2022.1.0 before 2022.1.11, from 2022.0.0 before 2022.0.10.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| progress | moveit_transfer | From 2023.1.0 (inc) to 2023.1.3 (exc) |
| progress | moveit_transfer | From 2023.0.0 (inc) to 2023.0.8 (exc) |
| progress | moveit_transfer | From 2022.1.0 (inc) to 2022.1.11 (exc) |
| progress | moveit_transfer | From 2022.0.0 (inc) to 2022.0.10 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-620 | When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The vulnerability could allow unauthorized password changes, potentially leading to denial of service or disruption of availability of the MOVEit Transfer service. However, it does not impact confidentiality or integrity according to the CVSS score.
Can you explain this vulnerability to me?
This vulnerability is an Unverified Password Change issue in Progress MOVEit Transfer on Windows, specifically affecting the REST API modules. It allows an attacker to change passwords without proper verification in certain versions of MOVEit Transfer.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70