Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
Uncontrolled Memory Allocation vulnerability in Progress Software MOVEit Automation allows Excessive Allocation.
This issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7.
AnalysisAI
Uncontrolled memory allocation in Progress Software MOVEit Automation exposes the application to remote denial-of-service via excessive resource consumption. Unauthenticated network attackers can trigger the flaw against versions prior to 2025.0.11 and 2025.1.x prior to 2025.1.7, resulting in availability loss with no confidentiality or integrity impact per the CVSS vector. No public exploit code and no CISA KEV listing have been identified at time of analysis; risk is moderated by high attack complexity.
Technical ContextAI
CWE-789 (Uncontrolled Memory Allocation) describes a class of defects where an application allocates memory based on an attacker-controlled value without sufficient bounds checking or validation. In MOVEit Automation - Progress Software's workflow automation component of the MOVEit file transfer platform - the application apparently accepts a network-supplied parameter that drives a memory allocation call, allowing an adversary to cause the process to request arbitrarily large heap regions. The affected CPE scope encompasses two distinct version branches: the 2025.0.x line (all releases before 2025.0.11) and the 2025.1.x line (2025.1.0 through pre-2025.1.7), as confirmed by the vendor release notes reference. The CVSS vector (AV:N/AC:H/PR:N/UI:N/S:U) indicates the flaw is network-reachable and requires no authentication, but high attack complexity (AC:H) implies that triggering the condition reliably requires non-trivial knowledge of a specific request structure, timing, or protocol state.
RemediationAI
Upgrade MOVEit Automation to version 2025.0.11 or later for the 2025.0.x branch, or to version 2025.1.7 or later for the 2025.1.x branch, as documented in the vendor release notes at https://docs.progress.com/bundle/moveit-automation-release-notes-2026/page/Fixed-Issues-2026.html. If immediate patching is not possible, compensating controls should focus on reducing the attack surface: restrict network access to the MOVEit Automation management and API endpoints at the perimeter firewall or load balancer, limiting exposure to trusted IP ranges only - this directly counters the AV:N attack vector. Additionally, resource limits (OS-level memory quotas or container cgroups) on the MOVEit Automation process can cap the blast radius of a successful exploitation attempt, preventing a full-system memory exhaustion at the cost of potential performance degradation under legitimate high-load conditions. No workarounds that eliminate the vulnerability without patching are confirmed in the available data.
More in Moveit Automation
View allAuthentication bypass in Progress MOVEit Automation allows remote unauthenticated attackers to completely circumvent aut
Improper input validation in Progress MOVEit Automation enables authenticated low-privilege attackers to escalate privil
The Progress MOVEit Automation configuration export function prior to 2024.0.0 uses a cryptographic method with insuffic
Incorrect default permissions in Progress Software MOVEit Automation expose embedded sensitive data to authenticated low
An issue was discovered in Progress MOVEit Automation Web Admin. Rated medium severity (CVSS 6.1), this vulnerability is
Unauthenticated remote flooding of Progress Software MOVEit Automation exploits a missing resource throttling control (C
Unauthenticated resource exhaustion in Progress Software MOVEit Automation enables a low-privileged remote attacker to d
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31115
GHSA-cpwg-526g-9gc5