Skip to content

Security Incident: Polyfill and MOVEit

On June 25th, 2024, two vulnerabilities under active exploitation were announced by the National Vulnerability Database (NVD) – one for Progress MOVEit Transfer (CVE-2024-5806) and one for’s CDN service (CVE-2024-38526). This blog provides an overview of steps you can take to protect your organization and your 3rd party network as well as a summary of our investigation and mitigation efforts.


MOVEit is software for secure data transfers, and is a CDN service. Many organizations across all industries use these services, and as a result this situation could have widespread implications for organizations of all sizes and industries across the world. 

Severity and Impact

If you are a MOVEit Transfer or Polyfill customer, it is extremely important that you take immediate action as noted below in order to help protect your organization. As of this writing, NIST has not completed analysis of either CVE noted above nor assigned any severity ratings. However, various organizations have reported that they have experienced incidents related to these two issues, which means remediation efforts should be expedited. 

Step 1: Determine if you are at risk.

  • If you are using any of the services listed below, your organization is at risk. See Step 2 below for remediation recommendations.
  • Both MOVEit and Polyfill vulnerabilities may indirectly impact your organization if your vendors use either provider in their organization. 
  • To Assess whether your Third Parties are using MOVEit Transfer or CDN services and if there is any associated impact, you can access the MOVEit Transfer Critical Vulnerability and Compromised Domain Questionnaires in the Whistic platform under our Questionnaire Standards Library by clicking here.

Affected Services

  • MOVEit
    • MOVEit Transfer 2023.0.0 through 2023.0.10
    • MOVEit Transfer 2023.1.0 through 2023.1.5
    • MOVEit Transfer 2024.0.0 through 2024.0.1
  • Polyfill

Step 2: Immediately rotate credentials and secrets related to the affected services.

  • Affected organizations are urged to: 
    • For MOVEit Customers: Upgrade MOVEit Transfer to version 2023.0.11, 2023.1.6, or 2024.0.2. 
    • For customers: Remove all references and links to or
  • All organizations are encouraged to assess their third parties for risks related to these vulnerabilities, where applicable.

Does this affect Whistic?

As a result of our investigation, we have determined that this situation does not directly impact Whistic. Whistic does not use MOVEit or products, and we haven't identified any of our third parties that use these products. We have a structured approach to vulnerability identification and remediation using technologies in both the development lifecycle and in our stage and production environments.

Vendor Assessments Information Security