ALL RESEARCH
    DISCLOSURE/1 January 2024/HIGH

    Progress MoveIt Transfer — Vulnerability Disclosure

    Atumcell-discovered weakness in Progress Software's MoveIt Transfer file-transfer product, coordinated with the vendor and publicly disclosed.

    AFFECTED

    Progress Software (MoveIt Transfer)

    SEVERITY

    High

    SUMMARY

    Atumcell research surfaced a security weakness in Progress Software's MoveIt Transfer product. The disclosure was coordinated with the vendor and reported in the trade press alongside related findings in Zoho Desk, illustrating the recurring exposure pattern in widely deployed enterprise file-transfer and ITSM software.

    DETAIL

    MoveIt Transfer is a managed file-transfer product widely deployed in regulated sectors — financial services, healthcare, government supply chain — where the file-transfer layer is treated as transport plumbing and rarely receives security attention proportional to the data it moves. The combination of broad deployment and underweighted assurance makes it a recurring high-impact target.

    [TODO(matthew): Replace this paragraph with the specific finding — the affected component, the failure mode, the conditions required for exploitation, and the impact category. If a CVE was assigned, add the CVE ID to the metadata above.]

    The finding was disclosed to Progress Software through their coordinated disclosure process. Channel Futures covered the disclosure in December 2024 alongside a related Zoho Desk finding. The practical implication for operators is the same one that drove the broader 2023 MoveIt incidents into national headlines: file-transfer infrastructure is part of the perimeter, not adjacent to it, and assessments of "sensitive data exposure" that omit transfer layers will continue to miss material exposure paths.

    REFERENCES

    Need this kind of research for your organisation?

    Atumcell runs targeted vulnerability research, OT/ICS assessments, and adversary simulation for organisations where the consequences of compromise are categorically different from IT.

    STRATEGIC CONSULTATION

    Discuss a research scope

    $500·30 minutes

    MORE ON THESE TOPICS

    IR & DISCLOSURE

    Or learn more about full advisory engagements.

    OTHER.RESEARCH

    DISCLOSURE

    Zoho Desk — Vulnerability Disclosure

    Atumcell-discovered weakness in Zoho's Desk help-desk product, disclosed to the vendor and reported alongside the MoveIt Transfer finding.

    RESEARCH

    N-able Workgroup Guideline — Security Risk to MSPs

    Research finding that N-able's published workgroup guideline created a meaningful exposure for managed service providers and their downstream clients.

    RESEARCH

    Physically Hacking SCADA — Cyber-Physical Attack Chains

    Research on cyber-physical attack chains against SCADA systems, demonstrating how digital compromises produce physical-layer effects.