Ddos 
Progress Software Corporation has issued a security advisory warning of a high-severity vulnerability in its MOVEit Transfer managed file transfer product.
Tracked as CVE-2025-10932 and rated CVSS 8.2, the flaw is described as an Uncontrolled Resource Consumption vulnerability within MOVEit Transfer’s AS2 (Applicability Statement 2) module — a critical component used by enterprises for secure, automated file exchanges.
The vulnerability affects all MOVEit Transfer releases from 2025.0.0 before 2025.0.3, from 2024.1.0 before 2024.1.7, and from 2023.1.0 before 2023.1.16.
While Progress MOVEit Cloud has already been updated to the patched version, on-premises deployments remain at risk until administrators apply the provided fixes.
The flaw lies in the MOVEit Transfer AS2 module, which handles secure partner-to-partner file exchanges using encryption and digital signatures.
According to Progress, the issue could allow resource exhaustion, potentially disrupting the file transfer service or degrading system performance.
If exploited, the flaw could allow a malicious actor to overwhelm server resources via crafted AS2 requests, leading to denial-of-service conditions and potentially impacting business-critical data exchanges across corporate networks.
Progress has released hotfixes and upgraded versions for all supported MOVEit Transfer branches, adding IP address whitelisting to restrict access to the AS2 module.
| Affected Version | Fixed Version |
|---|---|
| 2025.0.2 (17.0.2) and earlier | 2025.0.3 (17.0.3) |
| 2024.1.6 (16.1.6) and earlier | 2024.1.7 (16.1.7) |
| 2023.1.15 (15.1.15) and earlier | 2023.1.16 (15.1.16) |
For older or inactive installations such as MOVEit Transfer 2023.0 or 2024.0, administrators are urged to upgrade to an active version or apply the temporary mitigation steps outlined below.
For customers not using the AS2 feature, Progress recommends temporarily removing the AS2 endpoints to block attack vectors until patching is complete.
Steps include:
- Delete the following files from
C:\MOVEitTransfer\wwwroot:AS2Rec2.ashxAS2Receiver.aspx
- No restart of the server or IIS service is required.
Once the hotfix or service pack is applied, these files will be restored automatically with built-in IP whitelist protection.
For customers actively using AS2, Progress advises applying the hotfix immediately and configuring IP allowlists for trusted trading partners:
- Log in as an administrator.
- Navigate to Settings → Security Policies → Remote Access → Default Rules.
- Under AS2 Remote Access Rules, add “Allow” rules for your partners’ IP addresses.
The MOVEit platform, used by thousands of enterprises and government agencies worldwide, has faced heightened scrutiny since the widespread exploitation of CVE-2023-34362, which was used in large-scale data theft operations by the Clop ransomware group.
While CVE-2025-10932 is not currently known to be exploited, the MOVEit ecosystem remains a high-value target for threat actors due to its role in sensitive data movement and regulatory compliance workflows.
Related Posts:
- Three Security Vulnerabilities Found in Progress MOVEit Transfer
- Over 2,000 organizations are impacted by the MOVEit hack
- Progress Software Issues Security Alert for MOVEit Transfer Users: CVE-2024-6576
- Zero-Day Alert: CVE-2023-34362 – SQLi Vulnerability in MOVEit Transfer Web Application
- CVE-2023-36934: Critical SQL injection vulnerability in MOVEit Transfer
Donate