What's New in MOVEit Transfer

The following new features and improvements were added to MOVEit Transfer.







April 28, 2021

Initial release



July, 2021

Quality hotfix



July, 2021

Quality hotfix



July 29, 2021

Security hotfix



August 7, 2021

Security hotfix



September, 2021

Customer requests



May 31, 2023

Security hotfix. For details, see Fixed Issues in 2021.0.7.



June 12, 2023



June 15, 2023

Security hotfix. For details, see Fixed Issues in 2021.0.8.



July 5, 2023

Security Service Pack 1. For details, see Fixed Issues in 2021.0.9.

Encryption Key Rotation Manager

The key rotation manager enables you to refresh the organization's passphrase (and the key derived from it) for your at-rest data (organization filestore). Use the key management interface to deploy a rotation schedule, launch the key rotation process directly, or both. When file re-encryption work completes using the new key, MOVEit Transfer notifies you by email.

Using this robust key management dashboard, you can:

  • View history of organization-wide encryption key rotation.
  • Get a helpful time-to-complete estimate.
  • Launch re-encryption work right now, in off-hours, or as appropriate (override with pause and resume)
  • Pause and restart the conversion process.
  • Get reminders on paused or pending rotations.
  • Get completion summary, alerts, and reports on completed rotations.

View Key History (freshness)

Get Time Needed to Re-encrypt

Pause and Resume

Schedule Key Rotation

Scheduled Reminder Emails

MOVEit Client Enabled with MFA

MOVEit Client gives users private access to a uniquely-generated verification code (made available by email or mobile app). This additional verification step ensures user sign-on is genuine.

Users can manage MFA settings through the WebUI My Account page.

Setup Screen if MFA not Already Configured

Enter Temporary Verification Code (email method shown)

Logging Performance Improvements

We improved diagnostic logging performance so users with heavier system loads can enable higher debug levels, which allows you to capture robust diagnostic information when you’re working with our technical support team. The performance improvements include a control to limit how frequently diagnostic information is written to the log files. By default, this control is set to every 60 seconds. This can be adjusted if needed.

Custom Branding for Email Notifications

Include site, team, or enterprise logo designs in email notifications. Site branding controls are more intuitive.

The SETTINGS > Appearance - Brand page features intuitive controls and a new preview mode. You can apply defaults at the global (SysAdmin) and specific designs for MOVEit Transfer organizations (OrgAdmin level).

Custom Site Design Configuration Panel (SETTINGS Appearance - Brand)

Critical System Alerts Email

Configure distinct email target/recipient for cases where MOVEit Transfer detects high-severity, low-frequency events. For example, email recipients could be an operations engineer, an IT group's 'on-call' list, or other responsible individuals in accordance with site-reliability notification and escalation schedules.

Critical System Alerts Email Configuration (email tab of MOVEit Transfer Config Utility shown)

RESTful API Improvements

MOVEit Transfer 2021 adds new capabilities to its REST API.



New response model for One-Time Password (OTP).

  • OTP response includes masked email for account.
  • Successful response includes data (changed from HTTP 204 to HTTP 200).

POST /api/v1/token/otp

Email-only option now can return a response body and an HTTP status of 200. The response body contains a masked copy of the user's email address.

Response body example:

"user": {

"masked_email": "m****"


Download report as file.

GET /api/api/v1/reports/reportId/results/download?format=<format>

—Where <format> can be html, csv, or XML.



Get a list of all reports.

GET /api/api/v1/reports/

Page through report results list.

GET /api/v1/reports?page=<pages-returned>&amp;perPage=<reports-per-page>&amp;sortField=<report-field-to-sort-by>&amp;sortDirection=<sortby-direction>



Change folder Permission Inheritance settings

PATCH /api/v1/folders/{Id}

—Where {ID} is the ID of the folder.

—and where explicit permissions flag is set in the request body.

Change folder notification settings.

PATCH /api/v1/folders/{Id}/acls/{entryId}

—and where notification settings are set in the request body.

Updating folder sharing and permissions

PATCH /api/v1/folders/{Id}/notifications

—Where {ID} is the ID of the folder.

—and where sharing and permission settings are changed in the request body.

Change character restriction policy for filenames

PATCH /folders/{Id}/characterRestrictions

—and where allowable characters is set in the request body.

Change history setting, unique filenames, thumbnail display, and overwrite settings.

PATCH /api/v1/folders/{Id}/miscellaneous

—Where {ID} is the ID of the folder.

—and where individual settings are boolean values applied to the request body.

Change folder quota, new file time limit, and folder quota characteristics.

PATCH /api/v1/folders/{Id}/maintenance

—Where {ID} is the ID of the folder.

—and where individual settings are changed in the request body.

Fixed Issues

This section outlines issues tracked and fixed by the MOVEit product team for the 2021 release. Not all changes suggested by customers or uncovered in usability testing are tracked as issues or defects. See the What's New section for a broader view of these improvements.



Fixed Issue


Admin UI

Fixed issue where setting SSH Policy for the current user returned the message "certificate is not for the user."



Fixed issue where Folder Download to .zip produced an empty .zip file.



Fixed issue to disallow an out-of-range client IP address.



Fixed issue where an org admin could see session count metrics for the system.


Admin UI

Fixed issue where the WebUI returned an error if a sysadmin acting as orgadmin attempted to add a user.


Admin UI

Fixed issue where report failed to overwrite when Overwrite option was selected.


Admin UI

Fixed issue where using a new MOVEit Transfer account resulted in exception if used from MOVEit Automation.



Fixed post-upgrade issue in 12.1.1 where password change stamp updated during the password hash update.


Transfer Server

Fixed issue with GarbageCollection task where only the first 1000 file deletes were reflected in the log and when viewed from custom reports.


Transfer Server

Fixed issue where some package attachments not cleaned up during scheduled GarbageCollection task.



Fixed issue where deleting custom notification returned an "Invalid Custom Notification" message.


Web Farm

Fixed issue for Web Farm pattern where scheduled tasks log is saved at the remote file store rather than location defined in server configuration.



Fixed issue to log exceptions and continue to file, which could be blocked when malformed or corrupted comments field was encountered.



Fixed issue where in a Secure Folder Sharing scenario, retrieving the full folder list resulted in long queries.



Performance improvements to handle high volume of short session.


External Auth

Fixed issue where sign-on to an ExternalOnly org for the first time returns exception after sign-on.


Custom Notifications

Fixed issue where customized notifications applied one group and user belongs to that group and one other but gets customized notifications from both.


Package Transfer

Fixed issue where package upload failed if session expires during upload.


Package Recipients

Fixed issue to ensure all users on a package recipient list receive send receipts.



Fixed issue where folder quota information is not visible after creating subfolder.



Fixed issue where filename did not display hyperlink to file details view.



Fixed issue where administrator user indicator was not visible if administrator was also a group admin.



Fixed issue where internal path to brand logo visible to users.



Fixed vulnerability issue in recursive folder properties operation. Credit: Steven Seeley.



Fixed vulnerability issue in the mark new operation. Credit: Alex Kordas.

47619, 47327


CVE-2021-37614: Addressed a SQL injection vulnerability that may allow an authenticated attacker to gain unauthorized access to MOVEit Transfer's database. Credit Alex Kordas

Fixed Issues in 2021.0.6

This section outlines issues tracked and fixed by the MOVEit product team for the May 31, 2023 Hotfix.



Fixed Issue



CVE-2023-34362. Addressed a SQL injection vulnerability that may allow an attacker to gain unauthorized access to MOVEit Transfer's database.

Fixed Issues in 2021.0.7

This section outlines issues tracked and fixed by the MOVEit product team for the June 12, 2023 Hotfix. Not all changes suggested by customers or uncovered in usability testing are tracked as issues or defects. See the What's New section for a broader view of these improvements.



Fixed Issue



CVE-2023-35036. Addressed a SQL injection vulnerability that may allow an attacker to gain unauthorized access to MOVEit Transfer's database.

Fixed Issues in 2021.0.8

This section outlines issues tracked and fixed by the MOVEit product team for the June 15, 2023 Hotfix. Not all changes suggested by customers or uncovered in usability testing are tracked as issues or defects. See the What's New section for a broader view of these improvements.



Fixed Issue



CVE-2023-35708: Addressed a SQL injection vulnerability that may allow an attacker to gain unauthorized access to MOVEit Transfer's database.

Fixed Issues in 2021.0.9

This section outlines issues tracked and fixed by the MOVEit product team for the July 5, 2023 Service Pack 1.



Fixed Issue

68501 Installer Installer upgrades and repair mode slow if certificate storage has large number of certs.
69752 Server/Security Improved controls and validation for active sessions.
69753 Server/Security Improved controls and validation for upload states.
69990 Server/REST API Improved availability issue that could occur with increased volume and scale out of session sign-on activity.
69998 Server Improved transaction server parsing.
70001 Server/Security Newer password hashing scheme enforced. Legacy scheme is no longer supported.
70167 Server Refactoring and abstraction of OrgEngine/InstCertAdd.
70176 Server/Security Addressed a SQL injection vulnerability that may allow an authorized user to gain unauthorized access to MOVEit Transfer's database.
70312 Server/Security Addressed a SQL injection vulnerability that may allow an authorized user to gain unauthorized access to MOVEit Transfer's database.
70404 Server/User Auth Addressed a SQL injection vulnerability that may allow an attacker to gain unauthorized access to MOVEit Transfer's database.


Upgrading to the latest version of MOVEit Transfer ensures that you have access to the latest features, fixes, security updates, and usability improvements.

If you have a support subscription, upgrades are free. For licensing information, you can read this MOVEit License FAQ.

Get the Installer and Activation Code

To get a MOVEit installer package:

  1. Log in to the Progress Customer and Community portal and select Product Downloads.
  2. Download the product package.

    When you get your MOVEit product package from your Progress Community page, the activation code is embedded in the download file and is automatically applied during installation.

    The activation code is also stored in your Progress Community product page for reference.

  3. Before you run the upgrade installer.
    • Review Upgrade Guidelines. They identify useful tips and guidelines for existing MOVEit Transfer or MOVEit DMZ users.
    • It is a good idea to copy and save your current product serial number. This Progress knowledge base article explains how to find it.

Upgrade Paths

MOVEit Transfer 2021 supports "direct upgrade" (upgrade by way of running the MOVEit Transfer installer) for existing MOVEit Transfer 2019 (11.0.0) and newer.

Use the Upgrade Path table to find out how you can move earlier or legacy versions to MOVEit Transfer 2021.

Your Older MOVEit Transfer Version

Upgrade Path

MOVEit Transfer 2019 (11.0.0) or newer

Use Upgrade mode in MOVEit installer:

MOVEit Transfer 2018 PLUS SP2 (10.2) and older

If you are running a version that is out of date or close to being out of date, you can:

  • Upgrade to a supported version such as 2019 (running the 2019 installer in upgrade mode), and then...
  • Use the latest installer to upgrade 2019 to 2021.

    Check the Product Lifecycle page --upgrade to the latest version of MOVEit Transfer if your product version is close or past its End of Life (EoL) or sunset milestones.

Upgrade Considerations

Logs Directory for Web Farm Upgrade

When you upgrade a MOVEit Transfer Server node, ensure that the local logs directory defined in the Web Farm install configuration for all nodes already exists (or create one on each node). If the installer does not find this local logs directory, it will return a failure message and halt during the Web Farm scale-out process.

MySQL Database Deployments

When you run the MOVEit Transfer installer in an upgrade scenario on a MOVEit Transfer deployment using MySQL, the installer upgrades existing MySQL 5.7 servers to MySQL 8.x.

Any custom schema, tables, and fields (if applicable) must be backed up

It is best practice to backup any customizations before you run the MOVEit Transfer installer. MOVEit Transfer database schema customizations are not supported. If you change the name or add schema, indexes, or tables, the MOVEit Installer will not expect these manual changes and attempt to revert them.

Reset tamper check for logs

If you have logs that include data from before and after a software upgrade, tamper check verification shows false positive tamper errors when verifying the logs.

To prevent this situation, do the following when upgrading MOVEit DMZ software to MOVEit Transfer 2017 (and later).

  1. Before you upgrade, manually start the MOVEit DMZ Log Tamper Check program from the Start menu.
  2. Immediately after you upgrade:
    • Sign-on as System Administrator. Click SETTINGS.
    • In the System section, Tamper Detection row, click Reset All Orgs.
  3. Click Reset Tamper Detection Data.

Upgrading to a release with Secure Folder Sharing (a post upgrade task is necessary)

If you upgrade your MOVEit Transfer installation with a version that enables Secure Folder Sharing, this feature set will be initially set to off. After the upgrade, as sysadmin user, you can apply the Secure Folder Sharing feature set selectively in Org Profile Settings. As sysadmin, you can apply these settings on an org-by-org basis.

Enable org UI Security Settings to Allow Secure Folder Sharing Feature Set (needed for upgrade installations)

Learn more...

System Requirements

MOVEit Transfer requires certain software and hardware to ensure correct operation.

MOVEit Transfer Server Requirements

These requirements apply to the supporting environment and operating system where you install MOVEit Transfer server.

Before you attempt to install MOVEit Transfer server, ensure your Windows server has the latest service packs and required updates installed.

Hardware Requirements

Minimum server requirements

  • Four-core server-class CPU (For example: Intel Xeon 4-core 2+GHz)
  • 8 GB RAM
  • 250 GB or larger free disk space, depending on workload
  • Gigabit Ethernet (GigE) Interface.

Typical server requirements

  • Eight-core CPU.
  • 16 GB RAM.
  • Hard drive capacity of 1TB (SAS) is common.
  • Free disk space should be sized based on the system log, task logs, and the expected number of concurrent active users and transfers.
  • Using SSD or other high-performance disk will improve performance.
  • GigE or better network interface card.

Note: MOVEit Transfer requires a dedicated server machine or hypervisor. Do not install MOVEit Transfer on a machine that has other applications installed.

Software Requirements

MOVEit Transfer server requires the following software.

Supported Operating Systems for MOVEit Transfer

  • Windows Server 2019
  • Windows Server 2016

.NET Framework

MOVEit Transfer requires .NET 4.7.2. If the server does not have Internet access, you must install .NET by other means before you run the MOVEit Transfer installation program.

Windows Server 2019 comes with .NET 4.7.2.

Supported Databases

MOVEit Transfer requires one of the following database platforms:.

  • MySQL 8 (included in the MOVEit Transfer installation)
  • Azure SQL Database
  • Microsoft SQL Server 2019 Enterprise/Standard
  • Microsoft SQL Server 2017 Enterprise/Standard
  • Microsoft SQL Server 2016 Enterprise/Standard
  • Earlier versions (not supported)

It is best to run the MOVEit Transfer Server and the database it connects to in the same time zone. Otherwise, security features like multi-factor authentication for sign-on as well as secure connection protocols used between the services will not function.

You can create an Azure SQL database using the Azure Management Portal. See the upgrade and migration section for instructions on how to migrate your current database to Azure SQL.

Compatible Third-Party AV/DLP Engines

The following major anti-virus (AV) and data loss prevention (DLP) engines are reviewed for compatibility with MOVEit Transfer.

AV Engines (some with AV/DLP)

Anti-Virus Scanner

Latest Version Reviewed

McAfee VirusScan Enterprise, McAfee VirusScan Enterprise for Storage (VSES)

Last reviewed version

McAfee Endpoint Security

Last reviewed version

McAfee Web Gateway

Last reviewed version 9.29 (36018)

Sophos Anti-Virus Dynamic Interface (SAVDI) scanner

Last reviewed version: 2.6

Sophos for Network Storage

Last reviewed version:

Symantec Protection Engine

Last reviewed version

Trend Micro InterScan Web Security Virtual Appliance (IWSVA) *

Last reviewed:

  • A/V Pattern: 16.615.00
  • A/V Scan Engine: 12.5.100

DLP Engines

Data Loss Prevention Scanner

Latest Version Reviewed

McAfee Web Gateway*

Last reviewed with version 9.29 (36018)

Symantec DLP Suite

Last reviewed with version 15.x*

*DLP Blocked responses require additional configuration for some scanning engines such as McAfee and Symantec.

TLS Certificate

For use in production environments of the MOVEit Transfer Server, you should install a certificate from a trusted certificate authority. Apply the trusted certificate during installation or through the configuration utility.

Email Server (for notifications)

MOVEit Transfer needs an SMTP server to relay package notifications, account notifications, and other user messages. You will be asked for an SMTP server and credentials during the install process.

If you do not have email server information at the time of install, you can use the MOVEit Transfer Configuration Utility to add this information. For more information, see the MOVEit Transfer Admin Guide.

Browser Support

Supported Web Browsers

  • Chrome
  • Mozilla Firefox
  • Microsoft Edge
  • Safari

Other browsers might work with MOVEit Transfer but are not officially supported.

Additional Clients

MOVEit Mobile

MOVEit Mobile is available for the following devices:

  • iOS (Apple devices). Available for download in the Apple App Store.
  • Android (Android OS devices). Available for download from Google Play.

MOVEit Client

All current versions of the MOVEit Client are supported. Older versions will work with limited feature capabilities. Download the latest versions from the MOVEit Products page.

Outlook Plug-in (Ad Hoc)

  • Outlook Client:

    Outlook 2016 (English, German, French, Japanese, Simplified Chinese, Spanish and Traditional Chinese)

    Outlook 2013 (English, German, French, Japanese, Simplified Chinese, Spanish and Traditional Chinese)

    Outlook 2010 (32-bit and 64-bit English, German, French, Japanese, Simplified Chinese, Spanish and Traditional Chinese)

  • Mail or Exchange Server:

    Ad Hoc Transfer Plug-in for Outlook is compatible with a variety of mail servers, such as Exchange Server 2013, Exchange Server 2010 (32-bit and 64-bit English and German), or Progress IMail 11 (using SMTP). When Outlook & Exchange are used together, Cached Exchange Mode is supported but is not required.

  • Operating System:

    Microsoft Windows 10, Microsoft Windows 8, Windows 7 (32-bit and 64-bit English, German, French, Chinese Simplified, Chinese Traditional, Japanese)

Known Issues

This section outlines known issues and typical workarounds for MOVEit Transfer.



Known Issue in MOVEit Transfer



After you upgrade a MOVEit Transfer server to 2020 that leverages the legacy mobile server, if you subsequently uninstall only MOVEit Transfer, the next time you run the installer the Modify option displays but no real modify-install scenario exists. You will not be able to complete the MOVEit Transfer install process.


To run the installer successfully, you will need to uninstall the deprecated MOVEit Mobile Server manually. Then you can re-run the MOVEit Transfer Installer.


Central Agent, DMZ Agent

The Analytics Agent cannot connect to the MOVEit Transfer or MOVEit Automation 2019.1 with MySQL 8.


To resolve this issue, contact Technical Support to receive a hotfix.



Some virtual folder operations do not extend to the REST API.


For full parity, use the WebUI or MOVEit Automation.


Key Rotation

If disk capacity is less than the largest file in your filestore and you run key rotation, your key rotation process will fail to convert that file.


Key Rotation

Key rotation functionality does not extend directly to environments that use Azure Blob Service for their filestore.


Azure Storage has its own encryption scheme and key management infrastructure.

Licensees and Evaluators

For more information, please check our:

Copyright Notice

© 2021 Progress Software Corporation and/or one of its subsidiaries or affiliates. All rights reserved.

These materials and all Progress® software products are copyrighted and all rights are reserved by Progress Software Corporation. The information in these materials is subject to change without notice, and Progress Software Corporation assumes no responsibility for any errors that may appear therein. The references in these materials to specific platforms supported are subject to change.

Chef, Chef (and design), Chef Infra, Code Can (and design), Compliance at Velocity, Corticon, DataDirect (and design), DataDirect Cloud, DataDirect Connect, DataDirect Connect64, DataDirect XML Converters, DataDirect XQuery, DataRPM, Defrag This, Deliver More Than Expected, DevReach (and design), Icenium, Inspec, Ipswitch, iMacros, Kendo UI, Kinvey, MessageWay, MOVEit, NativeChat, NativeScript, OpenEdge, Powered by Chef, Powered by Progress, Progress, Progress Software Developers Network, SequeLink, Sitefinity (and Design), Sitefinity, Sitefinity (and design), SpeedScript, Stylus Studio, Stylized Design (Arrow/3D Box logo), Styleized Design (C Chef logo), Stylized Design of Samurai, TeamPulse, Telerik, Telerik (and design), Test Studio, WebSpeed, WhatsConfigured, WhatsConnected, WhatsUp, and WS_FTP are registered trademarks of Progress Software Corporation or one of its affiliates or subsidiaries in the U.S. and/or other countries.

Analytics360, AppServer, BusinessEdge, Chef Automate, Chef Compliance, Chef Desktop, Chef Habitat, Chef WorkStation, Corticon.js, Corticon Rules, Data Access, DataDirect Autonomous REST Connector, DataDirect Spy, DevCraft, Fiddler, Fiddler Everywhere, FiddlerCap, FiddlerCore, FiddlerScript, Hybrid Data Pipeline, iMail, JustAssembly, JustDecompile, JustMock, KendoReact, NativeScript Sidekick, OpenAccess, PASOE, Pro2, ProDataSet, Progress Results, Progress Software, ProVision, PSE Pro, Push Jobs, SafeSpaceVR, Sitefinity Cloud, Sitefinity CMS, Sitefinity Digital Experience Cloud, Sitefinity Feather, Sitefinity Insight, Sitefinity Thunder, SmartBrowser, SmartComponent, SmartDataBrowser, SmartDataObjects, SmartDataView, SmartDialog, SmartFolder, SmartFrame, SmartObjects, SmartPanel, SmartQuery, SmartViewer, SmartWindow, Supermarket, SupportLink, Unite UX, and WebClient are trademarks or service marks of Progress Software Corporation and/or its subsidiaries or affiliates in the U.S. and other countries. Java is a registered trademark of Oracle and/or its affiliates. Any other marks contained herein may be trademarks of their respective owners.

This document was published on Tuesday, August 3, 2021 at 17:46