Progress Software has released critical security patches addressing a high-severity vulnerability in its MOVEit Transfer platform discovered on October 29, 2025.
The flaw, tracked as CVE-2025-10932, affects the AS2 module and allows attackers to consume system resources without proper restrictions, creating a significant risk for thousands of enterprise organizations worldwide.
The vulnerability received a CVSS severity score of 8.2, categorizing it as a high-risk threat requiring immediate attention.
Unlike some critical flaws, this particular issue does not require authentication or user interaction, meaning attackers can exploit it remotely with minimal barriers to entry.
This vulnerability puts financial institutions, healthcare providers, government agencies, and other organizations relying on MOVEit Transfer for secure file exchange operations at considerable risk.
| Attribute | Details |
|---|---|
| CVE ID | CVE-2025-10932 |
| Vulnerability Type | Uncontrolled Resource Consumption (CWE-400) |
| Affected Component | Progress MOVEit Transfer AS2 Module |
| CVSS Score | 8.2 (HIGH) |
| Affected Versions | 2025.0.0–2025.0.2, 2024.1.0–2024.1.6, 2023.1.0–2023.1.15 |
| Patched Versions | 2025.0.3, 2024.1.7, 2023.1.16 |
The uncontrolled resource consumption flaw impacts the AS2 module within MOVEit Transfer, a widely used file transfer solution.
The vulnerability allows attackers to send specially crafted requests that consume excessive server resources, potentially leading to service degradation or complete system unavailability.
This type of attack, known as a denial-of-service vulnerability, can disrupt critical business operations and interrupt important file transfer workflows.
Multiple versions of MOVEit Transfer remain vulnerable to this attack. Progress has confirmed that versions ranging from 2025.0.0 through 2025.0.2, 2024.1.0 through 2024.1.6, and 2023.1.0 through 2023.1.15 all contain the flaw.
Organizations running any of these versions should treat this update as a priority security matter.
Mitigation and Patching Options
Progress moved quickly to address the issue by releasing patched versions and implementing temporary protective measures for customers unable to immediately update their systems.
The company released patched versions that implement IP address whitelisting to protect the AS2 module from unauthorized access.
Customers with current maintenance agreements can download fixed versions directly from the Progress Download Center.
For organizations unable to immediately deploy patches, Progress recommends temporarily disabling the AS2 module by removing specific files from the installation directory.
Alternatively, administrators can add IP addresses of trusted AS2 trading partners to a whitelist, limiting exposure until patches are installed.
Progress MOVEit Cloud customers require no action, as the company has already upgraded cloud-hosted instances to the patched version.
Organizations running on-premises installations must take active steps to secure their systems against this threat, making prompt patching essential for maintaining operational security and business continuity.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
%20(1).webp?resize=1600,900&ssl=1&description=The flaw, tracked as CVE-2025-10932, affects the AS2 module and allows attackers to consume system resources without proper restrictions){kind=link}