CVE-2025-13147 MEDIUM

CVE-2025-13147: External Service Interaction (DNS)

Vendor Progress

Product MOVEit Transfer

Weakness CWE-918 · SSRF

Published November 19, 2025

Last update November 19, 2025

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Server-Side Request Forgery (SSRF) vulnerability in Progress MOVEit Transfer.This issue affects MOVEit Transfer: before 2024.1.8, from 2025.0.0 before 2025.0.4.

Key dates

02Disclosure timeline

November 19, 2025 CVE published

November 19, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-13147 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/918.html

Related vulnerabilities

04Related CVE

CVE-2026-41171 SSRF via Jint Scripting Engine HTTP Functions Due to Missing SSRF Protection on "Jint" HttpClient CVE-2026-44430 MCP Registry: Unauthenticated SSRF: HTTP namespace verification dials 6to4 / NAT64 / site-local IPv6 addresses, bypassing private-address allowlist CVE-2025-21385 Microsoft Purview Information Disclosure Vulnerability CVE-2025-4581 CVE-2026-33752 Redirect-based SSRF leading to internal network access in curl_cffi (with TLS impersonation bypass)

Identifiers

CVE CVE-2025-13147

CWE CWE-918

CVSS 5.3 / MEDIUM

Affected versions

Vendor Progress

Product MOVEit Transfer

Affected < 2024.1.8

Vendor Progress

Product MOVEit Transfer

Affected ≥ 2025.0.0 and < 2025.0.4