Description
In Progress MOVEit Transfer 11.1 before 11.1.3, a vulnerability has been found that could allow an attacker to sign in without full credentials via the SSH (SFTP) interface. The vulnerability affects only certain SSH (SFTP) configurations, and is applicable only if the MySQL database is being used.
References (2)
Core 2
Core References
Release Notes, Third Party Advisory x_refsource_confirm
https://docs.ipswitch.com/MOVEit/Transfer2019_1/ReleaseNotes/en/index.htm#49443.htm
Third Party Advisory x_refsource_confirm
https://community.ipswitch.com/s/article/SFTP-Auth-Vulnerability
Scores
CVSS v3
9.8
EPSS
0.0149
EPSS Percentile
70.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-306
Status
published
Products (1)
ipswitch/moveit_transfer
11.1 - 11.1.3
Published
Oct 31, 2019
Tracked Since
Feb 18, 2026