Progress Software has released security patches to address a high-severity vulnerability in its MOVEit Transfer platform discovered on October 29, 2025.
The flaw, tracked as CVE-2025-10932, affects the AS2 module and allows attackers to consume system resources without proper restrictions.
| Attribute | Details |
| CVE ID | CVE-2025-10932 |
| Vulnerability Type | Uncontrolled Resource Consumption (CWE-400) |
| Affected Component | Progress MOVEit Transfer AS2 Module |
| CVSS Score | 8.2 (HIGH) |
This vulnerability puts thousands of enterprise organizations at risk, particularly those relying on MOVEit Transfer for secure file exchange and data management operations.
The vulnerability received a CVSS severity score of 8.2, categorizing it as a high-risk threat that requires immediate attention.
Unlike some other critical flaws, this particular issue does not require authentication or user interaction, meaning attackers can exploit it remotely with minimal barriers to entry.
Progress Software moved quickly to address the issue by releasing patched versions and implementing temporary protective measures for customers who cannot immediately update their systems.
Understanding the Vulnerability and Its Impact
The uncontrolled resource consumption flaw impacts the AS2 module within MOVEit Transfer, a widely-used file transfer solution trusted by financial institutions, healthcare providers, and government agencies.
The vulnerability allows an attacker to send specially crafted requests that consume excessive server resources, potentially leading to service degradation or complete system unavailability.
This type of attack, known as a denial-of-service vulnerability, can disrupt critical business operations and interrupt important file transfer workflows.
Multiple versions of MOVEit Transfer remain vulnerable to this attack. Progress has confirmed that versions ranging from 2025.0.0 through 2025.0.2, 2024.1.0 through 2024.1.6, and 2023.1.0 through 2023.1.15 all contain the flaw.
Organisations running any of these versions should treat this update as a priority security matter.
Progress released patched versions that implement IP address whitelisting to protect the AS2 module from unauthorized access.
Organizations using MOVEit Transfer have two primary options depending on their operational requirements.
Customers with current maintenance agreements can download the fixed versions directly from the Progress Download Center using their credentials. These include MOVEit Transfer 2025.0.3, 2024.1.7, and 2023.1.16 for respective version branches.
For organizations unable to immediately deploy patches, Progress recommends temporarily disabling the AS2 module by removing specific files from the installation directory.
This interim solution protects systems while organizations plan their update schedules. Alternatively, administrators can add IP addresses of trusted AS2 trading partners to a whitelist, limiting exposure until patches are installed.
Progress MOVEit Cloud customers require no action, as the company has already upgraded those cloud-hosted instances to the patched version. Organizations running on-premises installations must take active steps to secure their systems against this threat.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
