Introduction
Denial of service attacks against secure file transfer infrastructure can disrupt critical business operations and regulatory data exchanges. The latest uncontrolled resource consumption vulnerability in Progress MOVEit Transfer's AS2 module (CVE-2025-10932) exposes organizations to significant operational risk if left unpatched.
About MOVEit Transfer and Progress Software: Progress Software is a major enterprise software vendor with a global customer base, best known for its MOVEit Transfer product. MOVEit Transfer is widely used for secure file transfer in regulated industries, government, and large enterprises. The AS2 module is a core component for secure B2B file exchange, making this vulnerability especially impactful for organizations with compliance requirements.
Technical Information
CVE-2025-10932 is classified as CWE-400 (Uncontrolled Resource Consumption). The flaw exists in the AS2 module of MOVEit Transfer, which is responsible for processing Applicability Statement 2 (AS2) protocol messages used for secure business-to-business file transfers. Attackers can exploit this by sending crafted AS2 messages or sequences of requests that trigger excessive consumption of system resources such as memory or CPU. This can lead to service degradation or a complete denial of service, preventing legitimate file transfers.
The root cause is insufficient resource management in the AS2 message processing logic. Specifically, the module does not adequately limit or throttle resource usage per connection or message, allowing attackers to overwhelm the application. No public code snippets or stack traces are available at this time. Attackers may not require authentication, as AS2 endpoints are often exposed to external partners by design.
Affected Systems and Versions
- MOVEit Transfer 2025.0.0 before 2025.0.3
- MOVEit Transfer 2024.1.0 before 2024.1.7
- MOVEit Transfer 2023.1.0 before 2023.1.16
All deployments with the AS2 module enabled and accessible are at risk. No information is available about specific configuration dependencies beyond version and module exposure.
Vendor Security History
Progress Software has a documented history of critical vulnerabilities in MOVEit Transfer. Notably, CVE-2023-34362 (SQL injection) was exploited at scale in 2023, leading to major data breaches. Multiple additional MOVEit Transfer vulnerabilities have been disclosed and patched since, including authentication bypass and resource management issues. Progress generally issues patches rapidly and maintains public advisories, but the frequency of critical flaws has raised concerns about the security maturity of their development lifecycle.
