Progress Fixes High-Severity MOVEit Transfer Vulnerability

Progress Software has released security patches for a high-severity vulnerability affecting its widely used MOVEit Transfer platform. 

The flaw could allow unauthenticated attackers to exhaust system resources and disrupt business-critical file transfer operations.

In its advisory, Progress said the issue “… affects MOVEit Transfer from 2025.0.0 before 2025.0.3, from 2024.1.0 before 2024.1.7, and from 2023.1.0 before 2023.1.16.”

Why the MOVEit DoS Bug Matters

The MOVEit Transfer platform is used by enterprises — including financial institutions, healthcare providers, and government agencies — for secure file exchange and data management. 

The vulnerability, tracked as CVE-2025-10932, poses a threat for users due to its potential to cause denial-of-service (DoS) conditions without requiring authentication or user interaction. 

Inside the MOVEit Resource Flaw

At its core, the vulnerability arises from inadequate controls over resource allocation in the AS2 module. 

This weakness enables malicious actors to send specially crafted requests that consume server resources, like CPU, memory, and network bandwidth, until the service becomes degraded or entirely unavailable.

This type of flaw, known as an uncontrolled resource consumption vulnerability, is a subset of denial-of-service (DoS) attacks. 

Because it is network-accessible and requires no authentication, attackers can launch such attacks remotely and with minimal effort. 

While no active exploitation has been reported as of this publication, the low attack complexity and wide deployment of MOVEit Transfer make the vulnerability particularly dangerous.

Closing the Gaps Before Attackers Do

Besides applying patches, organizations can leverage the following to reduce their risk:

• Temporarily disable the AS2 module: Remove vulnerable endpoint files (e.g., AS2Rec2.ashx and AS2Receiver.aspx) from the MOVEit Transfer installation directory to block external access until systems are patched.
• Implement IP whitelisting: Restrict AS2 module access to trusted trading partner IPs to reduce exposure.
• Monitor system and transfer logs: Continuously review MOVEit Transfer logs for abnormal resource usage, repeated AS2 requests, or unusual traffic spikes that could indicate exploitation attempts.
• Enforce least privilege access: Limit administrative rights and service account permissions to minimize potential damage from compromised credentials.
• Segment network access: Isolate file transfer servers from other critical infrastructure to contain potential attacks and prevent lateral movement.
• Strengthen patch management and incident response (IR) processes: Regularly validate patch deployment workflows and ensure IR plans account for service degradation or denial-of-service conditions.

These steps help organizations limit exposure and keep systems stable while patches are deployed.

A Pattern of MOVEit Vulnerabilities

This latest MOVEit Transfer flaw adds to a growing list of security issues affecting the platform, underscoring the need for faster vulnerability disclosure, timely patching, and ongoing monitoring across enterprise environments. 

As organizations increasingly depend on third-party tools for sensitive data transfers, consistent patch management remains a critical safeguard. 

Even less publicized issues like resource consumption flaws can disrupt operations just as severely as large-scale data breaches.

Vulnerabilities like this highlight why organizations must adopt a zero-trust approach that verifies every user, device, and connection by default.