Progress Software has released critical security patches addressing a high-severity vulnerability affecting MOVEit Transfer, a widely used enterprise file transfer solution.
The vulnerability, tracked as CVE-2025-10932, carries a CVSS score of 8.2 and impacts the AS2 module across multiple product versions.
The uncontrolled resource consumption vulnerability in MOVEit Transfer’s AS2 module could allow attackers to disrupt service availability by exhausting system resources.
The flaw exists in versions 2025.0.0 through 2025.0.2, 2024.1.0 through 2024.1.6, and 2023.1.0 through 2023.1.15. With a network-accessible attack vector requiring no authentication or user interaction, organizations using affected versions face significant exposure to potential service disruptions and exploitation.
MOVEit Transfer Vulnerability
The vulnerability stems from inadequate controls over resource consumption, classified under CWE-400. This category of flaws enables attackers to overwhelm systems by forcing excessive resource allocation, leading to denial-of-service conditions that impact legitimate business operations.
Progress has distributed hotfixes that mandate IP address whitelisting for the AS2 module, creating a protective barrier against unauthorized access. Organizations must take immediate action based on their specific deployment model.
For enterprises not utilizing the AS2 module with MOVEit products, a temporary workaround involves removing the vulnerable endpoints.
Administrators should delete the AS2Rec2.ashx and AS2Receiver.aspx files from the C:MOVEitTransferwwwroot directory. This straightforward approach requires no server restart and maintains continuity until permanent patches are applied.
For organizations actively using AS2 functionality, applying the hotfix becomes essential. After updating to the patched versions MOVEit Transfer 2025.0.3, 2024.1.7, or 2023.1.16, administrators must configure IP whitelist rules for authorized trading partners.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2025-10932 |
| Product | Progress MOVEit Transfer |
| Vulnerability Type | Uncontrolled Resource Consumption |
| Affected Module | AS2 Module |
| CVSS Score | 8.2 (HIGH) |
This involves logging into MOVEit Transfer as an administrator, navigating to Settings, accessing Security Policies, and configuring Remote Access Rules to restrict AS2 module access to trusted partner IP addresses.
Progress has made fixed versions available through its Download Center for customers maintaining current maintenance agreements. The patch availability spans three major version lines, ensuring organizations can update within their supported product branch.
Customers without active maintenance agreements should contact Progress renewal services or their designated partner account representative.
Notably, Progress MOVEit Cloud users require no immediate action, as the cloud infrastructure has already been upgraded to patched versions. However, on-premises deployments demand rapid attention to mitigate exposure.
Organizations running MOVEit Transfer versions outside these active branches should prioritize upgrading to currently supported releases or implementing the temporary AS2 endpoint removal workaround.
The high CVSS score reflects the severity of this vulnerability and the potential business impact of service disruptions. Quick deployment of patches represents a critical priority for security teams managing file transfer infrastructure across their enterprise environments.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
