Critical Vulnerability in MOVEit Transfer’s AS2 Module Patched by Progress Software
Progress Software has recently addressed a significant security flaw in its MOVEit Transfer product, a widely utilized enterprise file transfer solution. The vulnerability, identified as CVE-2025-10932 with a CVSS score of 8.2, resides in the AS2 module and affects multiple versions of the software.
Understanding the Vulnerability
The core issue lies in the AS2 module’s inadequate control over resource consumption, categorized under CWE-400. This flaw allows attackers to exploit the system by overwhelming it with excessive resource requests, potentially leading to denial-of-service (DoS) conditions. Such attacks can disrupt legitimate business operations by rendering the file transfer service unavailable.
Affected Versions
The vulnerability impacts the following versions of MOVEit Transfer:
– 2025.0.0 through 2025.0.2
– 2024.1.0 through 2024.1.6
– 2023.1.0 through 2023.1.15
Given the network-accessible nature of this flaw, which requires no authentication or user interaction, organizations using these versions are at significant risk of service disruptions and potential exploitation.
Mitigation Measures
To counteract this vulnerability, Progress Software has released hotfixes that enforce IP address whitelisting for the AS2 module, thereby restricting access to authorized entities. Organizations are advised to take the following actions based on their deployment scenarios:
1. For Enterprises Not Utilizing the AS2 Module:
– Temporarily remove the vulnerable endpoints by deleting the `AS2Rec2.ashx` and `AS2Receiver.aspx` files from the `C:\MOVEitTransfer\wwwroot` directory.
– This action does not require a server restart and serves as an interim measure until permanent patches are applied.
2. For Organizations Using AS2 Functionality:
– Apply the hotfix by updating to the patched versions:
– MOVEit Transfer 2025.0.3
– MOVEit Transfer 2024.1.7
– MOVEit Transfer 2023.1.16
– After updating, configure IP whitelist rules for authorized trading partners:
– Log in to MOVEit Transfer as an administrator.
– Navigate to Settings > Security Policies.
– Configure Remote Access Rules to restrict AS2 module access to trusted partner IP addresses.
Patch Availability
Progress Software has made the fixed versions available through its Download Center for customers with active maintenance agreements. The patches cover three major version lines, ensuring that organizations can update within their supported product branch. Customers without active maintenance agreements should contact Progress renewal services or their designated partner account representative.
Special Note for MOVEit Cloud Users
Users of Progress MOVEit Cloud do not need to take any immediate action, as the cloud infrastructure has already been upgraded to the patched versions. However, on-premises deployments require prompt attention to mitigate exposure.
Recommendations for Organizations
Organizations running MOVEit Transfer versions outside the specified active branches should prioritize upgrading to currently supported releases or implement the temporary AS2 endpoint removal workaround. The high CVSS score underscores the severity of this vulnerability and the potential business impact of service disruptions. Rapid deployment of patches is crucial for security teams managing file transfer infrastructure across enterprise environments.
Conclusion
The swift response by Progress Software in releasing patches for this high-severity vulnerability highlights the importance of proactive security measures. Organizations must remain vigilant, promptly apply security updates, and configure systems to minimize exposure to potential threats. By taking these steps, businesses can ensure the integrity and availability of their critical file transfer operations.
